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Preface 



ACISP 2000, the Fifth Australasian Conference on Information Security and 
Privacy, was held in Brisbane, Australia, 10-12 July, 2000. The conference was 
sponsored by the Information Security Research Centre at Queensland Univer- 
sity of Technology, the Australian Computer Society, Telstra, Boeing Australia 
Limited, SecureCate Limited, and RSA Security Pty Ltd. We are grateful to all 
these organizations for their support of the conference. 

The conference brought together researchers, designers, implementors, and 
users of information security systems. The aim of the conference is to have a 
series of technical refereed and invited papers to discuss all different aspects of 
information security. The program committee invited seven distinguished spea- 
kers: Mike Burmester, G.R. Blakley, Bob Blakley, Brian Denehy, Roger Lyle, 
John Snare, and Alan Underwood. Mike Burmester from Royal Holloway Col- 
lege, University of London presented a paper entitled “A Survey of Key Distribu- 
tion”; G.R. Blakley from Texas A&M University and Bob Blakley from the IBM 
Tivoli Security Business Unit presented a paper entitled “All Sail, No Anchor, I: 
Cryptography, Risk, and e-Commerce”; Brian Denehy from SecureCate Limited 
presented a paper entitled “Secure Networks or Network Security - Approaches 
to Both”; Roger Lyle from Standards Australia and John Snare from Telstra pre- 
sented a paper entitled “Perspectives on Australia’s New Information Security 
Management Standard”; and Alan Underwood from the Australian Computer 
Society presented a paper entitled “Professional Ethics in a Security and Privacy 
Context - The Perspective of a National Computing Society”. 

There were 81 technical papers submitted to the conference from an inter- 
national authorship. These papers were refereed by the program committee and 
37 papers were accepted for the conference. We would like to thank the authors 
of all papers which were submitted to the conference, both those whose work is 
included in these proceedings, and those whose work could not be accommoda- 
ted. 

The papers included in the conference came from a number of countries inclu- 
ding 13 from Australia, six from Japan, five from the USA, four from Singapore, 
three from Korea, two from Greece, and one each from the UK, Germany, Nor- 
way, and Yugoslavia. These papers covered topics in network security, public key 
cryptography, cryptographic implementation issues, electronic commerce, key re- 
covery, public key infrastructure. Boolean functions, intrusion detection, codes, 
digital signatures, secret sharing, and protocols. 

The conference included a panel session entitled “Future Directions in Secure 
E-Commerce”. This panel was chaired by William Caelli and included leaders 
in technology, law, and public policy related to the security issues and problems 
of electronic commerce. 

We would like to thank all the people involved in organizing this conference. 
In particular we would like to thank members of the program committee for their 
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effort in reviewing papers and designing an excellent program. Special thanks to 
members of the organizing committee for their time and effort in organizing the 
conference, especially Ernest Foo, Gary Gaskell, Betty Hansford, Liz Lipowitz, 
Mark Looi, Lauren May, and Ghristine Orme. Finally we would like to thank all 
the participants at AGISP 2000. 



May 2000 Ed Dawson 

Andrew Glark 
Golin Boyd 
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Protecting Confidentiality against Trojan Horse 
Programs in Discretionary Access Control 

System 



Adrian Spalka, Armin B. Cremers, and Hartmut Lehmler 



Department of Computer Science III, University of Bonn 
Roemerstrasse 164, D-53117 Bonn, Germany 
Fax: +49-228-734 382. adrian@cs.uni-bonn.de 



Abstract. Mandatory access control systems {MAC) are often criticised 
for their lack of flexibility, but they protect a system’s confidentiality 
from a wide range of untrustworthy Trojan Horse programs. On the other 
hand, discretionary access control systems {DAC) place no restriction 
on flexibility. But, at present, they are generally regarded as inherently 
defenceless against all kinds of untrustworthy programs. We believe that 
this trade-off is not unavoidable. We show that, for lack of distinction 
between a user’s and a program’s trustworthiness, the vulnerability of 
DAC is design-based. On these grounds we present a modified DAC. 
The central idea is the separation of the management of rights from 
other activities of a user. The resulting system offers the flexibility of 
DAC and the protection of MAC. 



1 Introduction 

The development of multi-user computers created the need for security and pro- 
tection. Early works on this issue, eg [5] and [6], addressed both its very tech- 
nical and very general aspects. This, probably, inspired a systematic computer- 
orientated, or, to be more precise, operating system-orientated dealing with secu- 
rity and protection. In the early seventies, access control models were recognised 
as an important means of protection. 

One of the first works which mentions discretionary access control systems 
is [3]. This, and other works of this period, illustrate the motivation for the 
development of DAC . It is mainly driven by a practical consideration of the way 
a computer administers its resources and the way users interact with a computer. 
The approach is simple. In a first step, determine the resources of a computer 
that require protection and identify them as protection units. Resources are 
manipulated and consumed by processes, but each process acts on behalf of a 
user account. Thus, in the second step, identify the user accounts as the acting 
or active units. And, lastly, assign to each protection unit a user account, which 
is said to be its owner. Like the owner of a car can decide where to drive or 
whom to give a ride, the owner of a resource can decide with whom and in which 
way he would like to share his resource. Since the way a protection unit will 
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be shared or not shared cannot be anticipated - it is completely at the owner’s 
discretion it is best to provide for all possibilities. The result of this process 
is the discretionary access control model, a state of which is represented in - 
and which itself is sometimes colloquially identified with - the well known access 
control matrix. 

At the same time, government and military institutions pursued a different 
aim. Less interested in the way a computer organises its resources, they desired a 
protection system that reflects their fixed organisational structure and their way 
of handling classified documents. The protection objectives were clearly stated 
by the mandatory security policy, which is aptly explained by [7]: 

The dissemination of information of a particular security level (inclu- 
ding sensitivity level and any compartments or caveats) to individuals 
lacking the appropriate clearances for that level is prohibited by law^. 

[ 1 ] presented a solution to the problem of enforcing this requirement on compu- 
ters: the Bell/La Padula mandatory access control model {MAC). Like the DAC, 
the MAC has protection units, which are denoted as objects, and active units, 
denoted as subjects. In concordance with the original situation, each object and 
subject has an additional attribute, its classification. Lastly, the access control 
rules are described solely by two properties, the Simple-Security-Property and 
the *-Property, which refer to the classification of objects and subjects. 

Today, both models are regarded as fundamentally different, and, to motivate 
this, the following three reasons are often mentioned^. 

1. They have little in common with respect to their definition. Both have ob- 
jects and subjects. But DAC uses an access control matrix and MAC uses 
classification based access rules. 

2. They have a different degree of flexibility. DAC can be adapted to any en- 
vironment. MAC requires the resources and users to be classified or cleared 
and the classification levels partially ordered^. 

3. They have contrasting protection qualities. DAC is said to be inherently 
defenceless against all kinds of untrustworthy programs. Whereas MAC pro- 
vably protects from a wide range of untrustworthy programs. 

Thus, DAC is said to offer good ffexibility but poor protection. In contrast to it, 
MAC offers little ffexibility, but good protection. Presented as orthogonal pro- 
perties, more ffexibility is only achievable at the expense of protection, and vice 
versa. This does not seem to be surprising, and even the historical development 
can be mentioned in support of it. 

Although seemingly accredited, this distinction does not seem to be indispu- 
table. We have grounds to believe that DAC can be modified in such a way that 
MAC can be seen as a special-case-secure-DAC. 

1 Landwehr (1981):249. 

^ There are many works we can cite here. One of the more recent is Castano et al 
(1994), cf, eg, p 81. 

® Some authors even require the levels to form a lattice. 
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Such a view is obvious with respect to the security policies. According to a 
discretionary security policy, each user can determine other users’ rights to the 
objects he owns at his own discretion. In a mandatory security policy we can 
regard one special user, the trusted labeller, as the owner of all objects, who is 
allowed - within certain limits - to determine all other users’ rights to them at 
his own discretion. And an ordinary user can only act within the limits set by 
his security level. 

In respect of the above-mentioned first difference in the definitions of the 
models, it is easy to translate into and represent the classification and the access 
control rules of MAC as an access control matrix. The second difference supports 
our view. But we can also show [formally, if desired] that each access control 
matrix can be translated to the MAC context, ie be represented as an MAC . 

The only remaining problem is the third difference. We present a solution to 
it based on the following observations. Trojan Horse programs, which attempt 
to violate confidentiality, exploit two possibilities of rights management: 

— the free change of rights to existing objects: the malevolent program grants 
read-access to the object in contravention of the owner’s intention 

— the free choice of rights to newly created objects: the malevolent program 
creates a copy of the object or part of it and grants read-access to the copy 
in contravention of the owner’s intention 

MAC counters this threat by eliminating both options. An ordinary user (ie not 
the trusted labeller) cannot change the classification, ie the rights, to an existing 
object. And, once logged in at a particular security level, the classification of 
this level, ie the rights corresponding to it, is always assigned to all objects he 
creates. 

To design AS-DAC, the Advanced Security Discretionary Access Control 
Model, which should protect a system’s confidentiality against Trojan Horse 
programs, we propose to introduce two user-accounts for each user. In the first 
one, the trusted account, he will act as his own trusted labeller, ie he can change 
the rights to existing objects owned by him and determine the rights that will 
apply to objects created in his other account. Since, analogous to MAC, all 
operations the user is permitted to perform in this account must be trustworthy, 
we assume that these are the only admissible operations in a trusted account. 
In his other account, the general account, a user can perform any operation 
except those of the trusted account. The operations admitted here need not be 
trustworthy with respect to confidentiality, ie they may comprise Trojan Horse 
programs wanting to compromise the system’s confidentiality. The result is an 
access control model which offers the flexibility of DAC and the protection of 
MAC. 

Our ideas presented in this paper are already implemented in Linux. We 
have modified the kernel, the file system and all affected system calls and other 
parts of the operating system, which a Trojan Horse program can use to com- 
promise confidentiality. The implementation is freely available upon request to 
the authors. 
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The subsequent section defines mandatory and discretionary confidentiality 
policies"^ and access control models. Section 3 analyses the protection principles 
of MAC from the viewpoint of discretionary controls. On these grounds section 
4 introduces AS-DAC. Lastly, a conclusion will summarise the results of this 
work and present some thoughts on the future development of AS-DAC. 



2 MAC and DAC 

At the general level, a security policy is an - often informal - assessment of 
the value of the computer resources and the determination of the resulting pro- 
tection requirements. A mandatory security policy definitely ascertains both 
components, a resource’s value and the protection requirements. A discretionary 
security policy only states at whose discretion their determination is left. 

The notion of security comprises at least four factors on which it can actually 
depend: confidentiality, integrity, availability and accountability. However, some 
prominent security policies care only about confidentiality. We believe that in 
such cases they should be named confidentiality policies instead. 



2.1 Mandatory Confidentiality Policies 

Originally, mandatory confidentiality policies were developed to protect paper- 
based documents of military and government agencies. They rely on a classifica- 
tion scheme that assigns to each document and to each person a security level. 
The protection requirements are then determined according to the citation of [7] 
presented on page 2. In addition to it, the following assumption is made about 
the behaviour of the persons: 

When a document is not in a safe, it is in the custody of some indi- 
vidual trusted not to distribute it improperly.® 

This statement is very important because it clearly shows the grounds on which 
rights to persons are granted: when A grants to B a right, eg to have read-access 
to an object, then A assumes that B will not use this right in contravention of 
A’s intentions or interests. 

Both statements allow us to view the security level of a document, its sen- 
sitivity, as its degree of confidentiality, and the security level of a person, his 
clearance, as his degree of trustworthiness. 

To be more precise we prefer the word ‘confidentiality’ instead of ‘secnrity’. Confi- 
dentiality precisely states its protection objective, whereas security - althongh often 
used with the intended meaning of confidentiality - can as well refer to integrity, 
availability etc. 

® Landwehr (1981):250. This statement also demonstrates that the *-Property (intro- 
duced on page 6) is not concerned with untrustworthy users but only with untrust- 
worthy programs. 
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Formally, we therefore define an instance of a mandatory confidentiality po- 
licy, MCP, as follows: 



MCP = {S, O, {L <),F, PMR) 

1. S' is the set of user accounts called subjects (corresponds to persons) 

2. O is the set of protection units called objects (corresponds to documents) 

3. L is the set of security levels on which the partial order ‘<’ is defined 

4. F : S U O — >■ L is the labelling function® which assigns a security level to all 
subjects and objects 

5. PMR is the following Primitive Mandatory Requirement: Let s G S and 
o G O, then o must be kept secret from s if F{o) < F{s) does not hold. 

The partial order on L can be motivated in two ways. From a practical 
viewpoint^, we can consider an ordered set K of generic security degrees and a 
set C of compartments, and define (k,c), k G K and c C C, as a security level. 
Then 



(fcl. Cl) < (^2, C2) :<t^ fci < /C2 A Cl C C2 

is a canonical partial order on the set of all security levels. There is also an 
axiomatic approach, which we introduce in section 4. 

In contrast to an often found one, our definition of an MCP comprises an 
additional component, the Primitive Mandatory Requirement. The reason for 
its inclusion is the necessity of a clear statement on what the security levels 
are precisely for. In particular, we would like to emphasise that security levels 
and access classes are not synonyms. An instance of an MCP uses security 
levels to express only prohibitions of information dissemination, ie confidentiality 
demands. Of course, the application of an MCP to a specific environment, ie, a 
specific operational translation of it may interpret security levels as access classes 
or access restrictions - however, not until after it has been explicitly shown that 
this use is compatible with the intention of the prohibitions. 

2.2 Mandatory Access Control 

Today’s mandatory access control models mostly rely on the work of [1], which 
was continued and refined by many authors, eg [4]. The Bell/La Padula man- 
datory access control model, BLP, is an operational translation of an instance 
of a mandatory confidentiality policy into the context of an operating system 
abstraction. The enforcement of confidentiality demands is accomplished only 
with access restrictions. In respect of the preceding discussion of the PMR, the 
assumptions of this model allow the direct identification of security levels with 
access classes. 

The effective protection against many kinds of untrustworthy programs is 
not a quality of MCP. As such, an MCP is a declarative statement of demands 

® The sets S and O are obviously disjoint. 

^ Cf, eg, Landwehr (1981). 
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which has no notion of operating systems or programs. It is definitely a quality 
of BLP , one of MCP’s operational translations. 

The following examination of BLP is the key to recognising the reasons for 
the weakness of present discretionary access control models. Starting point of 
BLP: 

— An instance MCP{S, O, {L, <), F, PMR) 

Aim of BLP : 

— Operational interpretation of MCP in the context of an operating system 
abstraction 

Assumptions made by BLP: 

— The general user-accounts constitute the set S 

— There is a distinguished trusted user-account t, t ^ S, the Trusted Labeller 

— The assignment of users to user-accounts is externally (to BLP) reliably 
guaranteed 

— The following statements hold for t, the Trusted Labeller: 

• Only t is allowed to change {L, <) , ie, manipulate the security levels 
and their order 

• Only t is allowed to change S, ie, add or remove user-accounts 

• Only t is allowed to and obliged to classify the user-accounts, ie, t deter- 
mines the function F \s: S ^ L 

• Only t is allowed to change the clearance of a subject or the sensitivity 
of an object, ie, to change the value of F{s) or F{o) 

— The following statements hold for an s G S', a general user-account: 

• The value of F(s) matches the clearance of the user to whom the user- 
account s has been assigned 

• F(s) represents the maximum degree of trustworthiness of s, ie 

Z{s) = {IgLL\1< F{s)} 

is the set of his allowed security levels 

— The following statements hold for the set O: 

• The objects O are a set of resources of the operating system 

• An object can be created only with the create-function and deleted only 
with the delete-function 

• An object has a state® which can be viewed only with the read-function 
and modified only with the write-function 

~ The following statements hold for processes/programs: 

• All processes/programs t can execute are trustworthy 

• Any process/program an s E Scan execute is possibly untrustworthy 
~ The following statements hold for sessions: 

• The login-procedure is a trustworthy entry into the operating system 



For example, the state of a file are its name and contents. 
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• At login-time the user identified with the user-account s chooses at his 
discretion a value I G Z(s) , which determines the security level of the 
whole session A{s,l) 

• The sensitivity I is assigned to every object o created during the session 
A(s, 1), ie, if create (o) is successfully called during A(s, 1) , then F{o) = I 

— Interpretation of the PMR: To keep o secret from s, s must not be allowed 
to view o Postulates of BLP: 

— Simple- Security- Property: 

During the session A(s,l) the function read is defined only for the set 

= {o G O I F{o) < F{1)} C O 



— *-Property: 

During the session A{s,l) the function write is defined only for the set 

Wa(s,o = {o G O I F{o) = F{s)} C ,, 

The satisfaction of the PMR with respect to trustworthy operations is guaran- 
teed, almost trivially, by the Simple-Security-Property. The largest set of objects 
an s E S can read is 



= {o G O I F{o) < F{s)} 

Since BLP treats an object’s security level as a part of its name, it is easy to 
show that a user does not even learn of the existence of objects that should be 
kept secret from him. 

The satisfaction of the PMR with respect to untrustworthy operations is 
guaranteed by several precautions. The *-Property prevents a malevolent pro- 
gram from directly copying a resource’s state, or a part of it, to an object the 
sensitivity of which contravenes the PMR. To block more sophisticated paths, 
a general user-account possesses no rights management operations. Here, the 
rights to existing objects cannot be changed at all. And the rights given to a 
new object are always those fixed to the security level of the session. Thus by 
selecting the session’s security level at login-time the user also chooses the rights 
he would like to give to other users to objects he newly creates. 

The set of rights a user s can choose from is that coupled to the security 
levels of the set Z{s). Since the user can choose any of these levels as a session’s 
security level at his own discretion, we can say that the set Z(s) represents the 
discretionary share of BLP. There are two mandatory aspects with respect to 
Z{s). Firstly, the trusted labeller decides (at his discretion) on the clearance of 
an s, and, thus determines the set Z{s). And, secondly, the decision on the rights 
coupled to a security level is made in concordance with the partial order of the 
set of security levels and the Simple-Security-Property. 

Before we further exploit these observations, we take a look at today’s di- 
scretionary security. 
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2.3 Discretionary Confidentiality Policies 

Due to their origin, mandatory confidentiality policies were written down, so- 
metimes with stringent precision, a long time ago. Sadly, the written tracks of 
discretionary confidentiality policies cannot be found that easily. That notwith- 
standing, the main two statements of a discretionary confidentiality policy are 
the following ones: 

— Each protection unit is owned by a subject 

~ The owner of a protection unit decides on its protection requirements at his 
discretion 

Both statements are clear and quite simple. The only question we can still ask, 
how, when and why does a subject become the owner of an object, has been given 
very little attention. We have the impression that the answer is often dictated 
- yet not further contemplated - by the convenience of a particular operatio- 
nal translation. For example, in operating systems one takes it for granted and 
regards nearly as ‘natural’ that the creator of an object is also its owner. 

Given that the issue of who becomes owner of what has somehow been resol- 
ved, the second statement provides the information for a formal representation. 
The idea is simple. Firstly, let the owner of each object state his confidentiality 
demands. A confidentiality demand is the statement ‘I want to keep o secret 
from s’. Then collect all these demands. And, lastly, group them according to 
the subjects mentioned in the demands, viz, list for each subject the objects 
which should be kept secret from him. 

Formally, we define an instance of a discretionary confidentiality policy, DCP, 
as follows: 



DCP = {S, O, secret) 



— S is the set of persons 

— O is the set of protection units 

— secret : S — >■ ^{O) is a function that assigns to each subject s G S' a set 
secret{s) C O. 

— o € secret (s) if o should be kept secret from s 

The function secret represents the owners’ discretionary decisions. Since there 
need not be any functional dependence between their decisions, all we can say 
about the structure of the result is that it is a set. The last point corresponds 
to the PMR in the mandatory case. 

2.4 Discretionary Access Control 

We now examine discretionary access controls implemented in many operating 
systems. From the perspective of a systematic approach one would expect that 
a discretionary access control model is designed with the aim of being an ope- 
rational translation of an instance of a discretionary confidentiality policy. This, 
however, is not so. 
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Today, an instance of a discretionary access control model is often represented 
as 



DAC = {0,S,R,G, Z) 



such that: 

— O is a set of resources 

— S' is the set of user-accounts 

— R is the set of rights 

— G : O X S ^ ^(-R) is a (most often constant) rights-assignment function 
which determines the rights a user-account has to a resource 

— Z comprises the following two access rules: 

• The creator of an object becomes its owner 

• Only the owner of an object is allowed to change the rights-assignment 
to it 

The notion access control matrix stems from the fact that both O and S are 
finite sets and G can thus be represented in tabular form, which can also be 
regarded as a matrix. 

To reveal the susceptibility of DAC to untrustworthy programs we examine 
it in a style similar to that of BLP . 

Starting point of DAC: 

— An instance DCP = (S, O, secret) 

Aim of DAC: 

— Operational interpretation of DCP in the context of an operating system 
abstraction 

Assumptions made by DAC: 

— All user-accounts constitute the set S 

— There is a distinguished user-account a, a € S, the Administrator 

— The assignment of users to user-accounts is externally (to DAC) reliably 
guaranteed 

— Only the Administrator a is allowed to change S, ie, add or remove user- 
accounts 

— Let s G S' be the owner of o G O. Then only s is allowed to change other 
subjects’ rights to o, ie, s determines the function G |{oj: S — >■ CP(R) 

— The following statements hold for the set O: 

• The objects O are a set of resources of the operating system 

• An object can be created only with the create-function and deleted only 
with the delete-function 

• An object has a state which can be viewed only with the read-function 
and modified only with the write-function 

— The following statement holds for processes/programs: 

• All processes/programs an s E Scan execute are assumed to be trustwor- 
thy!! 
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~ The following statements hold for sessions: 

• The login-procedure is a trustworthy entry into the operating system 

• The assignment of rights to an object o created during a session of s is 
unrestricted, ie, if create(o) is successfully called during a session of s, 
then G |{o>: S — fP(-R) can be freely chosen!! 

• The rights to existing objects owned by s can be changed during any 
session of s at his discretion!! 

— Interpretation of o G secret{s): To keep o secret from s, s must not be allowed 
to view o 

Postulate of DAC\ 

— During any session, s can exercise only the rights stated in G and implied 
by his ownership 

The satisfaction of confidentiality demands stated in DCP with respect to trust- 
worthy operations is guaranteed, of course, by this postulate. At the same time, 
we can clearly see the reason for DACA problems with untrustworthy programs. 
DAC has no precautions to enforce confidentiality demands in the presence of 
untrustworthy programs because the possibility of their existence has not been 
accounted for! We have therefore good grounds to believe that DAC’s weakness 
- at least with respect to those threats BLP successfully defends against - is in 
no way inherent to DAC , but simply a matter of DAC's today design. 

2.5 Summary 

The examination presented above has shown that the strength of BLP (and the 
weakness of DAC) relies on the following assumptions: 

— There is one account such that all programs/processes that can be executed 
there are trustworthy 

~ There are trustworthy rights-management operations 

— Untrustworthy programs exploit rights-management operations 

— The rights applied to newly created objects are determined at login-time 

— Accounts in which possibly untrustworthy programs/processes can be exe- 
cuted have no rights-management operations 

Thus, these points must be accommodated in discretionary access controls to 
make them more resistant to untrustworthy programs. 



3 A Look at BLP from the DAC-Perspective 

To approach the idea of how we think a stronger discretionary access control 
model should work, we first present an operational translation of MCP in DAC- 
style, however, keeping the above-listed five points in mind. 

Let an instance MCP = {S,0,{L,<),F, PMR) be given. Throughout this 
section we illustrate our formal presentation with the following example. 
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EXAMPLE 1 Let MCP = {S, O, {L, <),F, PMR) such that: 



S '^ 2 ; *^4} 

— _L = {^1, ^2? ^4}? ^2 W and ^4 ^ ^3 ^ 

- F(si) = l*,z= 1 , 2 , 3,4 □ 




In the beginning the Trusted Labeller, t, comes into action. Firstly, he assigns 
to each user his allowed security levels Z{s) = {I £ L \ I < F{s)}. 

EXAMPLE 2 Z(si) = {h,l2j3,k},Z{s2) = {l2,k},Z{s3) = {k,k},Z(s4) = 

{k}.a 

We now observe that the level at which an object is created is one of its 
permanent properties, eg a part of its name. For an object o £ O let p{6) 
be the function that returns the security level at which o was created. Then 
t determines (in discretionary fashion) the session-rights associated with each 
level in concordance with the PMR. All we need is a rights-mask C{ 1 ) , for 
each security level I £ L, that determines the access rights associated with this 
level. If an object is created at level I, then, according to the Simple-Security- 
Property, only I and greater levels are given the read-right, and, according to 
the *-Property, only the level itself is given the write-right and the delete-right. 

Let r{l) and w{l) be the functions that determine the objects to which a user 
in a session with the security level 1 has the right to read and to write (we omit 
delete for it yields the same objects as write), then the general formula for C{ 1 ) 
is: 



C{ 1 ) = 



o G r{l) I > p{o) 1 

o G w{l) I = p{o) J 



for all / G L 



From the perspective of discretionary controls, the set of all rights-masks deter- 
mines the discretionary rights-function G. 

EXAMPLE 3 We continue with our example. 

— C(li) = {o £ r{k) p{o) £ L,o £ w{k) /i = p{o)}, ie. It /i-sessions have 
read-access to all objects 

- C{l2) = {o £ r{l2) ^ p{o) £ {l2,k},o £ ^(^2) ^ k = p{o)} , ie, ^2-sessions 
have read-access to objects created at the levels I2 and k 

- C{k) = {o £ r{k) p{o) £ {k,k},o £ w{k) I3 = p{o)} (analogous to 
the previous point) 

— C{k) = {o £ r{k) ^ p{o) = k,o £ w{k) ^ k = p{o)} , ie, read-access is 
granted to objects created only at the level k-^ 



From now on, a user s can login at any allowed level I £ Z{s). The rights to the 
objects he creates during a session A(s, /) are automatically assigned as specified 
by the rights mask C{ 1 ). Since rights-management operations are unavailable 
during a session A(s,/), there is no way to manipulate these rights later. 
EXAMPLE 4 Suppose that: 



Si creates of during the session A{si,k) , ie, at the security level k 
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— S22 creates 02 during the session A(s2,l4) , ie, at the security level I4 



Then the resulting discretionary access control matrix has the following entries: 







I 2 I 3 I 4 


0i 


{r,w,d} 


0 0 0 


02 


W 


{r} {r} {r,w,d} 



We see that the columns of the matrix are labelled with security levels and 
not with users. Thus a user’s rights are not constant but vary according to the 
security level he chooses for a session. 



4 The Advanced Security Discretionary Access Control 
Model 

We are now ready to introduce a discretionary access control model that protects 
confidentiality against Trojan Horse programs (THP) to the same degree as BLP 
does. The following major modifications and extensions to traditional DAC are 
necessary: 

— give to each user two accounts: a restricted one in which he can act only 
as his own trusted labeller and one for the ordinary work without rights- 
management operations 

— when logging in the ordinary account the user must specify a group of users, 
the session group, that will have access to the data he is going to create or 
modify® 

— the session group is a permanent property of objects created during this 
session; formally, this feature is an implementation of structured name-spaces 
in the operating system 

— a user’s rights depend on the session group specified at login-time 



4.1 Basic Notions 

We use the following definitions in the remaining part of the paper: 

— U is the set of users 

— S' is the set of work-accounts of U such that for each u G U there is exactly 
one s G S 

— T is the set of trusted accounts of U such that for each u G U there is exactly 
one t GT 

— G = CP(C/), the power set of U, is the set of groups of users 

® To be precise the data he is going to create or modify must be kept secret from all 
users not in the session group. 
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4.2 The Trusted Accounts 

In addition to his name and password a user u G U must specify at login-time 
either a group g G G, which commences a work-session in his s-account, or the 
keyword ‘trusted’, which brings him to his trusted account t. 

The idea of giving each user an s-account and a t-account is motivated as 
follows. From the viewpoint of a THP that aims at compromising confidentiality 
the set of all commands, programs and processes can be partitioned into two 
subsets: a set, let us say A, that the THP needs to compromise confidentiality 
and a set, B, that plays no role with respect to it, given that access control rules 
can be enforced in the s-account. 

The t-account comprises only the A-set of commands (and a few helpful but 
not necessary ones in the strict sense) and it must be given that all commands in 
this account are trustworthy, ie, there is no way of placing a THP in a f-account. 
To achieve this in our implementation we have written a special restricted shell 
in which only the commands listed below can be executed: 

— create/modify/delete/list the members of a named group: these commands 
only enhance the system’s usability; whenever a user needs to specify a 
group of users he can simply specify the group’s name instead of typing the 
members 

— change the group of a file^*^ : this command is critical since only the members 
of the group have read-access to it; a can change the group of only those files 
he owns 

Remark: our groups are not the Linux-groups; we have a separate administration 
of groups and the access control system has been modified such that our groups 
are checked first, before the Linux-groups. 

4.3 The Work Accounts 

To start a work session a user u G U must specify his name, password and a 
group g G G. The choice of g is at the discretion of u. In a declarative manner, 
a determines with the choice of g that all files he is going to create or modify 
during this session must be kept secret from all users not in g (thus, u G g always 
holds). As we will soon see, the operational translation allows us to regard the 
choice of g as the granting of read access^^ to all its members to all files created 
or modified during this session. 

The three essential components to prevent THPs from doing any damage 
wrt to confidentiality are: the operation of the create-function, access rules for 
reading files and those for modifying files. 

We use the term file instead of protection object since Linux treats most resources 
as files. 

If any other rights are granted as well is irrelevant with respect to confidentiality, 
but an important question when integrity is at stake. Here we can extend the group 
with a list of rights that should be granted to the members of gin addition to the 
read-right. 
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The adapted create-function has only one essential parameter, the (implicitly 
full) file name o and no specification of access rights. If successful, it returns the 
tuple (o, u, g) which states that the file o is owned by u and has been created 
during a session with the group g. In the s-account there is no way to change 
u or g; only u can change g in his t-account. Therefore, it is impossible for a 
THP to grant any other users access to (o, u, g) than the members of g. We have 
modified the file system to store this triple in it. It is necessary to ensure that the 
existence of a confidential file can never be compromised by a naming conflict. 
Suppose that a user u' has by chance also defined a group with the name g 
but different members and wants to create a file with the name o. li u' G g oi 
(o,u,g), then we can inform him of the file’s existence since he has read-access 
to it anyway. Otherwise we create a new file (o,u',g). The name-space of files 
is now structured for, in addition to the file name, it comprises two additional 
distinguishing components. 

We now give the rules for read-access and write-access during a session of u 
with the session group g, where g denotes the members and not the name of the 
group, ie, u's rights vary depending on the choice of g and are limited by the 
condition that u G g: 

1. u has if and only if read-access to (o, u' , g') if 5 C , ie m has no read-access 
if 5' C g 

2. u has if and only if write-access to (o, u', g') ii g = g' , ie u has no write-access 

if 5 5 ' 

Suppose that in u's g-session there is a THP installed by v, a member of g. The 
aim of the THP is apparently to get read-access to a file {o,u',g') such that 
u G g' but V ^ g'. This is precluded by rule (i): read-access is limited to those 
files which need not be kept secret from any member of the session group. Note: 
we do not need to consider rule (ii) because u's decision to select g as the session 
group reflects his trust in the group’s members - to refer to Landwehr - not to 
distribute files with the (/-group improperly. 

Now suppose that in u's (/-session there is a THP installed by a user v not 
in g. The aim of the THP here is to get read-access to a file {o,u',g') such that 
u G g' but V ^ g' . This is precluded by rule (ii) and our create-function: data 
read from any accessible file, or any result from it, can only be copied to a file 
with the (/-group, to which v has no read-access (unless the file’s owner decides 
in his t-account to change the file’s group). 

Until now, these considerations on the resistance of AS-DAC against THPs 
that try to violate confidentiality are purely informal. We would like to note that 
we have a full formal logic-based proof of it as well. We gladly include it in this 
paper should the referees consider it appropriate or necessary. 

Lastly, we would like to note that the resistance properties apply only to 
communications performed with operations intended for this purpose, eg read 
and write commands. We are very well aware of the fact that other operations 
or their side-effects can be (mis-)used to establish a communication channel, a 
so called signalling or cover channel. The answer to the question of how much a 
handicap this represents is subject to an environment’s individual threat asses- 
sment. 
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4.4 Some Remarks 

As already mentioned in the introduction, the above-presented concepts have 
been implemented as a modification of the Linux-kernel. However, there is much 
more to say to this topic than space would allow for. In particular, we have also 
examined the following points in detail. 

Inter-process communication. THP can try to disclose confidential data by 
passing them to other processes. Therefore, we have examined the process struc- 
ture of Linux, the methods to create and destroy processes, and to inherit and 
to communicate data. Here we have modified and taken control of the process 
status information, so that THP cannot use it for illegal passing of confidential 
data. 

Remote access and Internet services. The protection against THP is based 
on groups of known users, ie on closed systems or purely local networks, which 
de facto are an exception today. Email and the WWW are two ways a THP 
can use to pass data to any computer in the world. While a user often browses 
spontaneously in the web, email is most often used with a particular recipient in 
mind. Thus, different strategies are needed to tame THPs here. Taking THPs at 
different places into account, we have devised (but not yet implemented) some 
methods to allow either a risk-free or risk-conscious use of these services. 

Role of the administrator. On the way of modifying the system, we have also 
re-evaluated the administrator’s role. In today’s systems the administrator has 
a god-like position, which enables him to do everything at all times - a situation 
hardly comparable to people with analogous responsibilities in computer-free 
environments. There they are a kind of porters, caretakers or janitors, ie, people 
who have no direct power over resources but can only temporarily act on behalf 
of those who have power. Since we believe that an administrator should play 
the same role in a computer system we have adapted the procedures (inside and 
outside the computer) accordingly. 

Integrity. With the advent of digital signatures one can easily anticipate that 
future THPs will more and more attack the data’s integrity. Though far from 
being final, we pursue some promising ideas of how to deal with integrity viola- 
tions by THPs^^. We follow observations from other fields, which indicate that 
violation of integrity cannot be prevented but only detected. So we work on 
detection mechanisms that become effective before the violation is involved in 
a final act. While this concerns integrity in combination with Internet services, 
we have implemented provision to ensure integrity locally with the help of rights 
masks. A user can parametrise a group with a right mask and specify in this 
way, which rights- in addition to the read-right -the group members should have 
to files he is going to create. 

We concentrate here pnrely on technical means. At present, similar to issners of 
credit cards, issuers of digital signatures try to exclude the users’ risk by offering a 
financial limit on the damage due to unauthorised use. Taken that a digital signature 
is in fact a digital identity card - and not a digital purse - it is obvious that there is 
more at stake than just some money. 
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Shared rights. Soon to be implemented, we have incorporated into our system 
shared rights. A shared right is given to several users to ensure that important 
operations cannot be authorised by just a single user, ie a shared right becomes 
effective only if a certain number of users who have this right decide to exercise 
it. A simultaneous shared right requires the users participating in the operation 
to be on-line at the same time, whereas an asynchronous one allows them to 
authorise the operation at any time. 

There are many other details which we have taken care of to make the sy- 
stem work reliably, eg, system calls inspecting and modifying the process, file 
and directory information, which altogether also contribute to the system’s fun- 
damental security properties. 

5 Conclusion 

A couple of years ago doubts arose if the postulated and seemingly indisputable 
weakness of DAC against THP is inherent to it - a comparison of MCP and 
DCP rather hinted that MCP should be a special case of DCP since MCP 
places a limit on the users’ discretionary decisions whereas DCP does not. Both 
DCP and MCP are declarative definitions, which do not have a notion of a THP. 
Thus, the suspicion came up that resistance against THP is not a quality of these 
declarative structures but rather of their operational translations. An evaluation 
of BLP from the perspective of DAC revealed that BLP’s key to its strength 
is the distinction made between the trustworthiness of a user and a program 
started on his behalf - a distinction neglectable in a paper-based world for all 
human acts are clearly visible. A similar examination of today’s DAC swiftly 
revealed that DAC does not make this difference, the implicit consequence of 
which is that all programs are assumed to have the same trustworthiness as 
the users who started them. This (one can now say, trivial) observation led to 
AS-DAC. 

We have shown (and can provide a formal proof) that AS-DAC is resistant 
against the same class of THPs and their attacks as is BLP. At the same time AS- 
DAC is a full discretionary control system for it allows the owner of a protection 
unit to choose at his discretion, from which users this unit should be kept secret 
and which additional rights should be granted to which users. 

The successful completion of the formal modelling motivated us to imple- 
ment it. Linux, the sources of which are available to the public, is the perfect 
candidate to test the qualities of AS-DAC. Though the time needed to under- 
stand the kernel and the dependencies between the modules and system calls 
was considerable, we can demonstrate with our implementation of AS-DAC that 
THPs can very well be tamed in a discretionary access control system. 
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Abstract. The development of extranets is transforming enterprise net- 
working. Rather than using proprietary networks to exchange private in- 
formation, organisations can now set up corporate extranets to exchange 
data and share applications with strategic partners, suppliers, and cu- 
stomers in a global scale. Because extranets allow third-party users into 
corporate networks, they need to be extremely secure and external access 
needs to be highly controllable. Authorisation governs what an entity can 
do, thus it is a core element in network security. In this paper, we pro- 
pose a new authorisation framework that can cope with the dynamic and 
outreaching characteristics of extranets. We apply the technique of one- 
shot authorisation token in providing extranet users with flexible direct 
access to applications without authenticating their identities every time. 
It also solves the problem of revocation and update of user privileges 
in off-line models. This authorisation scheme has various advantages in 
terms of higher efficiency and greater adaptability to the diverse appli- 
cation environment of extranets. 



1 Introduction 

With the increasing use of Internet technology inside the organisation, more 
computing resources have been connected to networks in the forms of Intranets 
and extranets. An Intranet is a private, unique network implementation based 
on the technology, services, protocols and application of the Internet. Its basic 
purpose is to support an internal information system, and it is usually either 
physically separate, or protects itself from the outside world through the use of 
some security system, e.g. firewalls, to restricts the type of traffic or access to 
a network. Extranets are extended Intranets that connect to outside customers 
and other more strategic partners. Allowing controlled access by authorised ou- 
tside parties over the public Internet, extranets enable collaborative business 
application across multiple organisations. With this potentially global external 
connectivity, extranets have extra layers of complexity in the terms of functio- 
nality and security. Authorisation governs what an entity can do, thus it is a 
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core element in network security. There are a number of proposed solutions to 
solve the Intranet authorisation problem. Some leading initiatives are DCE [16] 
and SESAME [1]. In this paper, we propose an extension to these existing secu- 
rity architectures with a new technique of using privilege credentials in order to 
tackle the authorisation problem on extranets. 

This paper is organised as follows. Some related work about the security 
issues on extranets and traditional methods of authorisation in distributed sy- 
stems is discussed. A new framework for providing authorisation services on 
extranets is proposed. An architectural overview is given and the features of its 
components are explained. The use of the proposed one-shot authorisation token 
is described. The paper finishes with a section on future work and conclusions. 



2 Related Work 

2.1 Security Issues and Challenges with Extranets 

Compared with Intranets and proprietary networks used for years, an extranet 
handles not only the internal world of an organisation but also the cultures of 
multiple business entities over the public Internet. These give rise to multiple 
challenges in designing effective access control mechanisms in such an open and 
dynamic environment. In [6], four security issues unique to extranets are descri- 
bed. These are : 

— Shared endpoint security : With an extranet, security becomes the joint 
responsibility of the organisations at the endpoints of the tunnels that link 
a group of Intranets or users accessing the network. 

— Unmanageable Heterogeneity : An extranet involves a population of local 
and remote users who may span the globe and multiple organisations. It is 
virtually impossible to manage or even foresee the types of heterogeneous 
systems that are used to access the extranet. The role of standards-compliant 
security becomes important. 

— Cross-Pollination : Interaction between multiple systems results in inter flow 
of data and information. This adds an additional dimension of security to the 
maintenance of the integrity, accuracy and confidentiality of internal system 
information. 

— Finer Access Granularity : Added levels of access to extranets for multiple 
business entities based on their partner status means that the mechanisms 
for controlling extranet access must be constructed with a finer level of gra- 
nularity. 

Since extranet administrators and users must deal with the policies and sen- 
sitivity of the organisations being accessed, the following issues are identified: 

— Trust Management : Trust establishment becomes a complex task due to the 
diversity in the extranet environment. Organisational systems must facilitate 
the ability to access the trustworthiness of entities (users or applications) 
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they encounter before access rights are granted to them. Thus security tools 
and protocols for establishing and managing trust effectively across multiple 
organisations on extranets need to be developed. 

— Security Policy Translation : Extranets make internal network system availa- 
ble to selected outsiders. It is a fundamental requirement that those external 
users comply with the security policies in the organisation. There should be 
some means of translation between different organisations. A corporate ex- 
tranet establishes linkages between different organisations and allows users 
to access multiple (both local and external) organisational systems, which 
may be implementing different sets of security policies. It is a basic require- 
ment that the users have to comply with those policies in their access. Thus 
new mechanisms for translating and mapping of the security policies from 
different organisations are required. 

Facing all these issues, we require a security solution with access to be highly 
controllable. And on the other hand, it has to be highly flexible and adaptive 
to the diverse multi-application environment. In this paper, we propose a new 
framework for providing authorisation services to the wide spectrum of admini- 
strators and users on extranets. 



2.2 Traditional Methods of Authorisation in Distributed Systems 

User Identity Based Approach. Traditionally, access control adopts the fra- 
mework of subjects, objects and access rights. While authentication establishes 
the identities of the subjects (network users), authorisation provides users with 
certain rights to access objects (services and applications). User authentication 
provides the mechanism by which access control can be implemented on network 
data, as well as by which auditing and network monitoring are made easier. In 
certain environments, establishing a user identity automatically provides the user 
with a set of privileges. To determine the type of access appropriate for a user, 
the user’s identity is compared to an access control list (ACL). If a user’s identity 
appears on the list, the user is granted the access corresponding to that iden- 
tity. This identity based authorisation depends on reliable user authentication 
techniques. 



Privilege Certification Approach. An alternative authorisation method is a 
privilege certification service, the only source of information about a user’s privi- 
leges that a service provider will trust. The security authority delivers privilege 
information to the previously authenticated user, encrypted with the provider’s 
key in the form of tickets or certificates. Without the service provider’s key, the 
user cannot read or change the certificate without destroying it. The user for- 
wards the certificate to the service provider, which decrypts and reads it. The 
key used to encrypt the forwarded message proves to the service provider that 
the service provided the privilege data and that it has not been modified by the 
user. The service provider, therefore, trusts the privilege data, conferring only 
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those permissions that correspond to the certified privileges. Some examples of 
security architectures using this kind of push technology are 

— Kerberos using ticket-granting ticket [12], 

— DCE using Privilege Attribute Certificate (PAC) [10] , 

— SESAME using Privilege Attribute Certificate (PAC) [1] and 

— Windows 2000 using Security Access Token (SAT) [2]. 

In these architectures, users have to complete the authentication process each 
time before privilege certificates are issued to them. We can see that the tradi- 
tional methods of authorisation directly depend on a reliable user authentication 
technique. 

3 A New Approach for Providing Authorisation Services 
on Extranets 

As a broader definition from ISO [II], authorisation is the act of determining 
whether an authenticated entity has the right to execute an action. Thus, aut- 
horisation can be separated into two stages [2] : 

— Granting rights and/or privileges (authorisation credentials) to a particular 
entity; 

— Using these privileges in combination with access decision rules at the re- 
source to determine if access should be granted to the entity. 

Hence an authorisation service must include a method for allocating privi- 
leges to an entity, and also provide an Access Enforcement Function (AEF) to 
ensure access is provided only if the privileges satisfy the access decision rules. 

We argue that the authentication of a user is essential in the first stage of 
authorisation but it is no longer needed in the second one. Following this light, 
we can design schemes that allow users to directly access resources securely 
with the pre-loaded authorisation credentials and eliminate the repeat of user 
authentication in every access as in the traditional mechanism. An example is 
the access control system in hotels. A customer has to complete the registration 
process before he can get a key to a room for the first time. Afterwards, possession 
of a key is a sufficient proof to be allowed to enter the room. There is no need 
for the customer to do registration every time in order to enter the room. 

In our scheme, you can prove authorisation without divulging a user’s identity 
in every access. Secure authorisation relies on the security of the authorisation 
token. The authorisation process is split into two stages : 



Stage of User Registration - In the first stage of authorisation, the user has 
to complete the authentication process before privilege credentials in the form of 
authorisation tokens are issued. Our approach is similar to DCE and SESAME 
in the way that a central authorisation server is designed to allocate privileges 
to authenticated users. It is flexible and adaptive enough to be extended to 




22 



R. Au, M. Looi, and P. Ashley 



use a variety of authentication formats and other distributed information. We 
propose to place authorisation information such as identity, user groupings and 
even policy rules into signed credentials that can be distributed at any time with 
any request by authenticated users. Since they are used for once only, we call 
them ” one-shot” authorisation tokens. In our scheme, we propose the central 
authorisation server to administer all the applications in its domain (Intranet) 
as well. 



Stage of Access Enforcement - In this second stage of authorisation, every 
time a user wants to access a service or application, he can submit the authorisa- 
tion token directly to the appropriate service provider. No user authentication is 
required. In our authorisation scheme, these authorisation tokens will be handled 
by the authorisation manager on the application server. The manager evaluates 
the tokens by an ACL-like mechanism along with whatever access policy infor- 
mation is available, and then grants the appropriate access to the user. The 
manager is also responsible for the renewal or revocation of the one-shot aut- 
horisation tokens, to avoid the repeat of user registration in the next time of 
access. 



4 Architectural Overview 

Our proposed framework extends the DCE or SESAME architecture to pro- 
vide centralised authorisation administration but distributed access enforcement 
among various service providers in extranet environment. Referring to figure 1, 
we introduce an Authorisation Server in each Intranet to provide authorisation 
service to its resources and clients. 




Intranet A Intranet B 



N Interactions in stage of user registration 
Interactions in stage of access enforcement 



Fig. 1. Authorisation services between two Intranets 



Towards a New Authorisation Paradigm for Extranets 



23 



4.1 Authorisation Server for Centralised Control 

Centralisation offers a cost-effective, easier management structure. It enables 
the system administrator to manage complex network applications with a high 
degree of consistency. DCE and SESAME allow central administration of user 
privileges but the access control rules (normally ACLs) are managed by the 
administrators of distributed applications. So the authorisation is only partially 
centrally manageable. In our approach, with the strategy of fully centralised 
control for an administrator, an authorisation server is designed in each related 
Intranet to facilitate the following functions : 

— To administer the access control rules for all the applications and resources 
on its local Intranet. 

— To create authorisation tokens for accessing local applications or resources 
and issue them to either local or external authenticated users at the first 
time of access request (registration). 

— To send the updated authorisation information of local users to each ap- 
plication server on the local Intranet or to authorisation servers in other 
Intranets. 

— To establish secure communication channels with authorisation servers on 
other Intranets. 

— To acquire authorisation tokens for local users from authorisation servers on 
other Intranets. 

— To establish mappings and translations for access rules and policies with 
other Intranets. 



4.2 Authorisation Managers for Distributed Applications 

While applications and resources are distributed over multiple Intranets, we 
propose to attach an authorisation manager to each of the application server 
to facilitate authorisation services. It can be in the form of a program or Ap- 
plication Programming Interface (API) . This authorisation manager follows the 
instructions from the central authorisation server through a secure communica- 
tion channel. When a user requests access by submitting an authorisation token 
to the application server, it is the authorisation manager to handle the token 
and implement the authorisation. The functions of our proposed authorisation 
manager include : 

— Access Enforcement Function (AEF) which makes decisions whether to grant 
or reject the access request according to the user’s privileges submitted and 
access control information at the resource; 

— Token Update Function (TUF) which generates a new authorisation token 
based on the update information from central authorisation server, if any, 
and the data on the current token. The update action may be revoking or 
changing all or part of the current privileges. The renew authorisation token 
will be sent back to the user later. 
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— Key management Function (KMF) - It provides session keys to establish 
a secure channel for the communication between the user and resource or 
application. These keys may be sent to the user with the renew authorisation 
token at the same time. 

Figure 2 illustrates the system walkthrough for an extranet to be accessed 
by local and external users. It is highlighted that 

— In the stage of user registration, privilege distribution is done only once by 
the collaboration of the central authorisation servers in related Intranets. 

— In the stage of access enforcement, the user make the access request directly 
to the authorisation manager on that related application server. There is 
no difference in the process of access for local and external users on the 
extranets. 



User in A (local) 



Intranet A (local) 



Intranet B 
(external) 



User in B 
(external) 











Fig. 2. System Walkthrough for Internal and External Users 
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5 Use of One-Shot Authorisation Token 

An authorisation token is actually a form of digital certificate containing some 
authorised access control information. Making use of public key and digital sig- 
nature technology, the authorisation token is issued by the signing authority to 
delegate some form of authority to the holder of the token. For example, a bank 
may issue an authorisation token to a customer saying ’the holder is authori- 
sed for the withdrawal of $500 from his account. In general, the owner of any 
resource that involves electronic access can use authorisation tokens to control 
the access to it. 

In our proposed authorisation framework, we use the one-shot authorisation 
token to hold the privileges for each individual user on the extranets . As dis- 
cussed in [5], the token is valid to be used for one time only. It is renewed by the 
application server and returned to the user in every time of access. This technique 
provides a mechanism for revocation or updating user’s privileges dynamically. 
Also security can be enhanced as forging and replaying do not work. 

5.1 Token Contents 

The one-shot authorisation token is a container of access control information 
for an individual user. In order to suit a wide range of access control policies 
used on the extranets, the design of the format of the authorisation token has to 
be modular and flexible. Another important principle is that the authorisation 
tokens should be designed carefully for specific purposes and the information they 
contain should be only that required for this and no more. Some common security 
policies include discretionary access control, mandatory access control, role based 
access control and task base access control. As an example, an authorisation 
token may contain access control information (ACI) in one or a combination of 
the three dimensions, namely identity, task and role : 

— Identity based ACI : In discretionary access control systems, the access 
right is based on the identity of user. In these cases, the identity information 
of the user is included in the authorisation token. 

— Task Based ACI : An authorisation token may contain identity information 
that will not generally be necessary and may sometimes be undesirable. For 
example, ’electronic cash’ can be regarded as a specific form of authorisation 
token in the banking system. Users may want individual transactions to be 
anonymous. It is possible and necessary to design some authorisation tokens 
without identity information. To identify the holder of a authorisation token, 
a bank may typically look up the link between account numbers and owner in 
its internal databases. Placing such identity information in an authorisation 
token is actually undesirable since it could expose the holder to additional 
risks. For example, anyone handling the token may reveal and use the identity 
information for unintended purposes. 

In task based access control, authorisation is done in terms of tasks or ac- 
tivities instead of individual subjects and objects. A task can be defined as 
a logical unit of work which may involve : 
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• multiple applications distributed over different Intranets 

• multiple subtasks, where a subtask may need to be individually or collec- 
tively authorised 

Under these policies, the access control information in the authorisation 
token may contain only the necessary details of the task. It is believed that 
the authorisation of tasks that span multiple systems over departmental and 
organisational boundaries can be conceptually simpler and more efficient. 

— Role Based ACI : Role based access control assign users to roles. The 
access rights on resources is based on the roles of a user. In this policy, the 
user are issued with a package of authentication tokens containing the roles 
information. 

In recent research on SDSI, SPKI and PolicyMaker [15] [9] [7], authorisation 
information such as identity, user groupings and even policy rules is placed into 
these authorisation tokens that can be distributed at any time with any request. 
They are evaluated locally by an ACL-like mechanism or evaluation engine, along 
with whatever local policy information is available. 

Attribute certificates as defined in ANSI X9.57 [3] constitute a general- 
purpose mechanism that bind one or more pieces of attribute information to 
each certificate’s subject. They are further developed in ANSI X9.45 [4] to sup- 
port the distribution of certified authorisation information. 

5.2 Advantageous Features 

With the technique of a one-shot authorisation token, the authorisation frame- 
work becomes more flexible and adaptive to the needs of extranets. It acquires 
the following advantages : 

— the administration of authorisation is centralised on one security server for 
each Intranet and this greatly simplifies the management work. 

— The access enforcement is done by the authorisation manager which is dis- 
tributed along with each applications. So the user can use his token to access 
the application directly. Except for the first time of registration, user aut- 
hentication to the central security server is eliminated, thus the performance 
of the system is better as less traffic is possible. Also the problems of bottle 
neck and single point of failure at the central security server are avoided. This 
distributed access enforcement system also scales better for large number of 
users and applications as in the case of extranet. 

— The one-shot authorisation token provide a flexible carrier for the mappings 
of policies and functionality across multiple Intranets in different organisa- 
tions. 

— The mechanism does not interfere with the intra-domain extranet security. 
Hence it is safer and easier to establish some level of trust among multiple 
communities. 

— While some extranets may use proprietary or exported-restricted cryptogra- 
phic software or hardware, the format of the token is flexible enough to cater 
for them individually. 
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— Protocols using the one-shot authorisation token can be designed to pro- 
vide mutual authentication between the user and the service provider. It 
is considered to be an essential assurance of security in the public Internet 
environment. 

— The mechanism can easily be integrated in an existing heterogeneous network 
because there is no need to modify the internal security architecture of each 
domain. The one-shot authorisation token can be standardised to become 
an universal ticket across domains with heterogeneous systems. 

~ With the use of push technology in our scheme, it is possible for users to 
access applications anonymously, if the policies allow. Anonymity might be 
an advantage or necessity in some application system designs, e.g. electronic 
cash transaction systems. 

— Since user log-on procedure is eliminated, access to multiple applications on 
different extranets becomes easier for individual users. From the view point 
of the users, it is inefficient and troublesome to replicate the user information 
on related service providers all over the world. Management of logging on 
information is not an easy job for individual users if the number of extranets 
to be accessed is large. Traditional single sign-on for multi-application access 
on extranet is difficult to be achieved. 

— Very often, we need to control access to specific resources from both users 
and other applications. The use of one-shot authorisation tokens provides a 
means of authorisation to entities other than users. Also delegation can be 
achieved by passing these tokens on [5]. 



6 Future Work 

6.1 Use of Smart Card 

In our new paradigm, it can be seen that the security relies heavily on the security 
of the authorisation tokens. Thus a secure personal device, e.g. smart card, is 
suggested to facilitate as a ’wallet’ to hold these tokens safely for individual 
user. Using the code execution power on smart card, some programs can be 
developed to work corporately with the authorisation manager on the application 
server side. This dynamic collaboration can manipulate the authorisation tokens 
with high security and provide finer granularity of access control [5] in multi- 
application environment on extranets. 



6.2 Trust Management and Security Policy Mappings 

On the extranet, multiple business parties across security domains are involved. 
The creation of the authorisation token requires effective translation of policies 
and management of trust between those related communities. Some authorisa- 
tion languages for the development of these mappings of trust, policies and other 
functionality are required. 
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6.3 Infrastructure of Authorisation Servers 

There would likely be thousands of Intranets with authorisation servers connec- 
ted together over the Internet. Each authorisation server services a set of local 
users directly and external users through their authorisation servers. If there are 
N Intranets joined together to form an enterprise extranet, each authorisation 
server has to establish some kind of mappings or translations of policies and 
trust with the other (N-1) authorisation servers. Then there should be N(N-l)/2 
relationships established over that enterprise extranet. It would be unworkable if 
N is very large. One solution is to build an infrastructure with tree or hierarchy 
of the authorisation servers, or perhaps a less structured logical interconnection. 
Then the initial user registration process and the initial authorisation token de- 
livery can go through a secure chain of authorisation servers. After that, the user 
can access the application directly with his authorisation token. 

6.4 Auditing and Monitoring 

Accountability and non-repudiation are two important requirements in the se- 
curity management. In our authorisation framework, these can only be achieved 
by the collaboration of the authorisation servers and application servers in the 
two related domains . Some auditing and monitoring services can be developed 
based on the trust established and policy mappings among the authorisation 
servers. 

7 Conclusions 

We have presented in this paper an authorisation framework for use on extranets. 
The scheme has the following features : 

— Authorisation Service is provided by the collaboration of the central autho- 
risation server and the authorisation managers attached to each distributed 
application on the extranet. It can enhance the system performance in terms 
of load balancing and reliability. 

— One-shot authorisation tokens provide a user with flexible direct access to 
applications without revealing the user identity. This technique has various 
advantages in terms of efficiency, adaptability to the diverse application en- 
vironment on extranets. 
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Abstract. This paper discusses an approach to specifying a safety po- 
licy governing safe execution of mobile code written in the Safe Erlang 
system. This policy is specified as a check function, which is applied to 
request messages for access to external resources (using remote proce- 
dure calls) from the mobile code executing in a restricted environment. 
As such, it is similar to the Security Manager used in Java, or the poli- 
cies defined in SafeTCL. However we believe its application to external 
resource remote procedure calls by code running in a restricted subnode 
leads to a simpler and cleaner solution with less overhead; and its speci- 
fication in a functional language such as Erlang leads to a clearer, more 
easily verifiable, specification of the policy. 



1 Introduction 

Mobile code is defined as any code sourced remotely from the system it is 
executed upon. Because the code is sourced remotely, it is assumed to have a 
lower level of trust than locally sourced code, and hence needs to be executed 
within some form of constrained or sandbox environment to protect the local 
system from accidental or deliberate inappropriate behaviour. 

One of the major issues in supporting mobile code is to provide a suitable 
level of System Safety, which provides appropriate controls on accesses to 
resources by the executing code so the security of the execution system is not 
compromised [7,10]. Ideally it would be desirable to be able to formally verify 
that the imported code will not violate the systems security policy, however in 
practice this is difficult (cf. for example the work on proof carrying code requiring 
a hand-crafted proof for each [8]). The other key issue is Run-Time Safety, 
which is concerned with ensuring that the code will behave in accordance with 
the source specification. This is usually provided by a combination of language 
features in conjunction with the run-time system. 

A number of approaches to providing a safe execution environment have 
been investigated (see survey by [10]), with much of the focus being on securing 
procedural languages such as Java [3,9] or Tcl/Tk [4,11]. However here we are 
interested in how best to extend our existing work on Safe Erlang, which pro- 
vides the necessary run-time safety, in order to best support a range of Safety 
Policies, and be able to impose differing levels of system safety on different 
mobile code instances. 
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Safe Erlang is an extension of the functional language Erlang [6,5]. It includes 
extensions to Erlang to enhance its ability to support safe execution of remotely 
sourced code. These extensions are in three areas: 

— the provision of a hierarchy of nodes to provide a custom context, restrictions 
on side-effects (including any external resource access), and resource limits. 

— the use of unforgeable references (capabilities) with associated rights of use 
for modules, nodes, processes, ports, and user defined references. 

— support for remote code loading in context. 

We have been working with Erlang, rather than the more traditional proce- 
dural languages, such as Java or SafeTCL, because we believe that functional 
languages have a very high degree of intrinsic run-time safety. This means the 
changes required to provide a safe execution environment are much smaller than 
those needed to secure a procedural language, as discussed in [6]. Erlang is a 
functional language, developed by Ericsson, and is currently being used for a 
number of production telecommunications applications [1,2]. 

The approach outlined in this paper for specifying a safety policy is based 
on executing the untrusted mobile code in a constrained environment, which 
is trusted to prevent direct access to any external resources by the executing 
untrusted code, and then applying filters to messages between the untrusted 
code and server processes which mediate the access to resources. Since Erlang 
generally uses message passing Remote Procedure Calls (RPC’s) for servicing 
requests (including local requests), and since we can enforce this use through 
our Safe Erlang extensions, this provides a very convenient choke point at which 
to impose a safety policy. By restricting the problem domain to just verifying 
that the messages conform to the desired policy, the problem should be consi- 
derably more tractable, whilst still being highly extensible. Using Safe Erlang’s 
restricted subnodes, these checks need only be applied to untrusted code run- 
ning in a restricted subnode. Further, they are done only when the untrusted 
code is requesting a possibly insecure service provided by a server running in 
a more trusted subnode. This significantly reduces the overhead of performing 
such checks. By implementing this approach in a system based on a functional 
language, it is possible to have the security policy specification written in this 
language, and then use it directly as the actual check function. 

2 Alternate Approaches to Specifying Safety Policies 

A range of alternative approaches to imposing safety policies has been tried in 
a number of languages. In particular the approach used by Java, and that used 
by Safe/Tcl will be discussed and contrasted with the approach outlined in this 
paper. 

2.1 Java Class Loader, Security Manager, and Access Manager 

Probably the best known mobile code system is Java. In Java, system safety 
is the responsibility of the class loader in conjunction with the security or ac- 
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cess manager, depending on which version of Java is being used (see detailed 
discussion of Java security in [9]). 

The Java language and run-time system provide a sandbox for code to be 
executed in, with suitable controls on its operations. The Java Class Loader, 
Security Manager, and Access Manager interact to determine which particular, 
potentially unsafe, operations are permitted. 

The Java Class Loader is responsible for loading classes as required. It alone 
knows the origin of the class, whether it has been signed, and hence which secu- 
rity or access manager should be used with it. It is also responsible for managing 
and enforcing namespace separation rules, which ensures that class/package na- 
mes sourced from different locations (CODEBASEs) are partitioned into sepa- 
rate namespaces to prevent confusion/subversion due to name collisions. Diffe- 
rent Class Loaders are used for code loaded from different sources, and trusted 
code is permitted to specify the use of a new Class Loader. 

The Java Security Manager is called by all Applications Programmer Inter- 
face (API) code to see if a requested operation, with the arguments as supplied, 
is permitted for the requesting class. Only one Security Manager is defined for 
any instance of a Java run-time system. It is usually selected by trusted code 
at startup, and cannot subsequently be changed. It includes methods to resolve 
requests relating to file access, network access, execution of other programs on 
the local system, and access to system resources. These methods need to be 
carefully written to handle the varying decisions. They interact with the Class 
Loader to determine what the requesting class is permitted to do. If different 
policies need to be applied to different classes, then the Security Manager must 
have code provided to distinguish between the various cases. In practice, this 
has proved to be difficult. 

Java 1.2 provides a new Access Manager class. It supplements and generalises 
the features previously provided by the Security Manager (which is maintained 
to support the current security API) . The Access Manager may be consulted by 
the Security Manager in order to determine whether some action is permitted. 
In contrast to the Security Manager, customisation of the Access Manager is 
provided by specifying rules in a policy file, rather than having to modify the 
actual code. This significantly improves its generality. 

The Java approach involves a single execution sandbox. Hence all code run- 
ning must be vetted for safety - some of the code being permitted to perform 
’’unsafe” operations (because it was sourced locally, or comes from a signed 
class), whilst other code must be restricted (because it is remotely sourced, un- 
trusted, code). This necessarily complicates the policy specification - in actual 
code in the case of the Security Manager, or in the policy file for the Access 
Manager. Also, the realm of what operations are vetted is constrained by which 
of the API calls include a check with the Security/ Access manager as to whether 
the operation is permitted, although the Access Manager includes an extensible 
Permissions class, which user applications and classes can choose to use. 
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2.2 Safe Tcl/Tk Interpreter and Policies 

Another well known safe execution environment is that provided by SafeTCL [4, 
1 1] . This involves a master interpreter starting a SafeBase slave interpreter to run 
any untrusted code. The SafeBase slave interpreter has very restricted functiona- 
lity (by default, no external access is provided). Potentially ’’unsafe” operations 
are supported by extending the slave with additional commands which are ac- 
tually executed on the master interpreter. These are trusted, and can impose an 
appropriate safety policy on any requests from the slave. A range of policies can 
be supported, though on any particular execution, only one is used. This policy 
specifies when requests for file access, network access, email access, and browser 
access will be permitted. 

Policies are specified in a file, which supplies rules (written as Tcl statements) 
which govern when each of the categories of potentially ’’unsafe” operations are 
permitted, and with what arguments. 

The use of multiple interpreters (sandboxes) provides significant flexibility 
and isolation between the various mobile code modules and the main system. 
Further the use of a policy specification which contains Tcl commands allows 
a good degree of flexibility in policy specification, whilst still keeping the po- 
licy relatively straightforward. However, Tcl/Tk policies still are bound by the 
domain of potentially ’’unsafe” operations which may be vetted. 

3 Imposing Policy Using a Message Check Function 

The key feature in this proposed approach to providing System Safety is the 
use of a message check function which is applied to request messages for access 
to resources outside the restricted environment (using remote procedure calls) 
from the mobile code executing in a restricted subnode. This check function is 
applied on receipt of the request by the general remote procedure call (RPC) 
handler for some trusted server executing outside the restricted environment. 
The message check function acts as both the security policy specification, and 
the means used to verify that the RPC request messages conform to that policy. 

This approach shares a number of similarities with the approach supported 
by SafeTCL. In both cases multiple execution environments with differing trust 
levels are supported, along with a flexible policy written in the language used 
to validate potentially unsafe access requests. Where it differs is in the applica- 
tion of the check to RPC messages, rather than by modifying the code in the 
API libraries; and in the use of a functional language, which provides a clean 
specification of the policy. 

In Erlang, a general server mechanism is supplied which acts as a wrapper 
around a number of general services (such as file access). It uses the efficient, 
lightweight, message passing mechanism supplied by Erlang and used for all 
inter-process communications. It is quite straightforward to adapt the general 
server to support the use of a message check function, and then advertising 
this ’’protected” service in the restricted environments where unsafe code is 
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executing. Usually no further changes to the actual server code is required, other 
than ensuring that the server is started using the modified server mechanism, 
rather than the default. Thus, unlike other systems, extending the scope of which 
services are to be protected merely requires that the existing server be started 
using the new general server mechanism with an appropriate check function, 
rather than requiring any changes to the actual server code (provided only that 
the server uses the general server handler). 

Writing a suitable check function, in general, defaults to looking at the list 
of requests supported by the server, and itemising them as always permitted, 
always denied, or permitted for some parameter values. This then translates 
fairly directly into the code for the check function. For example, file access may 
be restricted to files in some specified directory. This requires a policy that 
includes checking the supplied filename to ensure that it is appropriate. 

Whether to impose a policy or not on any particular service is a decision made 
by the owner of the node. An execution environment can be tailored, comprising 
one or more restricted subnodes each with a policy imposed by limiting them to 
using a predefined set of servers, which execute in trusted subnodes, and which 
have the required check function imposed. 

4 Prototype Implementation in Safe Erlang 

This approach has been trialed using the SSErl prototype of a safe Erlang exe- 
cution environment. This system is described in [6]. It is used to create an 
appropriately tailored execution node for the mobile code, whose only access to 
resources external to that node is via messages sent to server processes, whose 
process identifiers are registered by name in the restricted node’s names table. 

A key feature in implementing this check function is the use of Erlang’s 
pattern matching ability to resolve which of the many possible messages are 
valid. The check monitor function has the form check(Mod, Type , Msg) where 
Mod is the name of the server module the policy is imposed upon. Type is the 
particular RPC message type (call/cast/info) being checked, and Msg is the 
message received by saf e_gen_server to be relayed to the call-back routines in 
the actual server module Mod. The Msg is usually a tuple naming the requested 
function and providing the necessary parameters. 

For example, the monitor function could look as follows: 
check(file,call,get_cwd) -> ok; 

checkCfile, call, {delete, F}) -> valid_name (F) , ok; 
check(file,call,{read_file,F}) -> valid_name(F) , ok; 
check(file,call,{write_f ile,F,Bin}) -> valid_name(F) , ok; 

... 7o other clauses removed 
check(file,info,_) -> ok; 

check (Mod, Type , Msg) -> exit (policy_violation) . 

This indicates that for the file server, get_cwd is ok; as are requests to delete, 
read or write a file, provided a valid name (say current dir only) is supplied. Info 
messages (exits etc) are allowed. All other calls will result in a policy ^violation 
exception. 
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4.1 Safe_gen_server 



Erlang supports a general client-server mechanism to support various services, 
using the gen_server module. With a small change to this module to optionally 
impose a check function against all messages received for the server, it is possi- 
ble to run a number of instances of a standard server, each enforcing a different 
security policy. This results in a clean, and I believe, easier to verify implementa- 
tion, compared to implementing a suite of custom servers with modified code for 
each. It also results in the checking overhead only occurring when accessing such 
servers. In the prototype, this modified general client-server module is called 
saf e_gen_server. 

saf e_gen_server is a modified version of the existing gen_server module, 
which implements the security monitor function on messages received for the 
server it manages. This function is installed by specifying the new {check, Fun} 
option in the call to safe_gen_server:start(M,A,Opts) (and related variants). 
Then, when it receives a message, it will invoke the nominated check function 
first before invoking the appropriate call-back routine in the server module. If 
the check function exits, an appropriate error message can be returned to the 
calling client. 

It is left open whether a single check function, covering all modules relevant 
to a particular safety policy, or whether separate functions for each module, is 
most appropriate. The current implementation handles both. 

To use the check facility, the servers must be started with the check option 
specified. This would typically require calling saf e_gen_server explicitly, rather 
than using the usual start function in the server module. Alternatively, the server 
module could be modified to provide a variant of start for this. The server 
modules may also need minor changes and recompilation to work in the safe 
environment anyway (this is certainly true of the prototypes). In either case, the 
effect is to impose the check function on RPC messages before they are passed 
to the existing server code. 

saf e_gen_server has also been modified so that an explicit list of node capa- 
bilities or global names must be supplied for the multi_call/cast interfaces. This 
is because, with the capability concept, processes must explicitly have capabi- 
lities for any resources they wish to use (or know registered names for those 
capabilities) . 



4.2 Policy Module 

To assist in the creation and usage of safer SSErl nodes, it is desirable that 
there be a clear and easy mechanism for specifying an appropriate safety policy. 
This would involve the correct specification of the options in the creation of a 
new node, but would also require some means of controlling the use of some 
standard servers, especially those accessing the file system, network and window 
manager. 
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For ease of use, policy for an SSErl node may be specified by a policy module 
in a prescribed form. This module must contain and export a number of functions 
which are used to create the SSErl node with the desired security policy. These 
functions are: 

proc_rights() returns max list of rights for process capabilities, which will be 
constrained to at most those of the parent node. 
aliases() returns the list of aliases to be used in the new node. Usually these 
will map to modified versions of standard library modules. 
init_servers() calls any server init routines servicing the new node, these 
servers are run in the current node context, and returns these in the list of 
registered names to be used when creating the new node. 
check(Mod, Type, Msg) server message safety check function, which will be 
called by safe_gen_server to check server messages received, when configured 
in option list (by init_servers()). 

An example of a policy module is given below. It is intended for use by 
the SSErl test module as a demonstration. This policy limits access to files to 
just those in the current directory. More specifically, the functions perform the 
following: 

proc_rights() limits the subnode being created to having no special rights, in 
particular, no right to send external messages, thus limiting message passing 
to the current node (with its safe servers), 
aliases 0 maps the generic module names, especially file to the modified, safe, 
versions (without requiring any change to the code running in the restricted 
subnode) . 

init .servers 0 is used to start the file server with the correct policy imposed 
in the main trusted node, before the restricted subnode is created with this 
server specified in its namespace. 

check(Mod, Type, Msg) is the actual check policy imposed on messages re- 
ceived by the file server, specified as a parameter when the server was started. 



-module (safety_pol) . 

7o required policy functions we export 

-export! [proc_rights/0, aliases/0, init_servers/0, check/3]). 

7,y« proc_rights is the list of side-effects permitted for process 
7o7o in node from possible list of: [db, extern, open_port] 
proc_rights 0 -> []. 

7«7« aliases is the initial list of module name aliases to use 
7o7« here alias: the gen_server modules, safe servers, stdlib 
7o7« modules all of which are compiled for the SSErl env 
aliases!) -> [ 

7. safe servers 




Custom Safety Policies in Safe Erlang 



37 



{file , saf e_f ile}, 

7, extended gen_server modules with support for check function 
{gen , saf e_gen} , {gen_server , saf e_gen_server} , {proc_lib , 
safe_proc_lib},] . 

7o7o init_servers calls any server init routines servicing new node, 
7«7« these servers are run in current node context 
7o7, returns these in a list of registered names 
init_servers 0 -> 

7, start the safe daemons with check function option 
{ok, Filer} = saf e_f ile : start ( [{check, fun check/3}]), 

[{saf e_file_server, Filer}] . 

7o7o check (Mod, Type, Msg) - server message safety check function 
7o7o called by saf e_gen_server to check server msgs 

7o7o when configured in option list (by init_servers () ) 

7o7o returns ok I {EXIT, {policy_violation, {Mod, Type, Msg}} 

7o handle checks for safe_file server 

check(safe_file,call,get_cwd) -> ok; 

check(safe_file, call, stop) -> ok; 

check(safe_file,call,{delete,Ncmi}) -> valid_nEmie(NEmi) , ok; 

check(safe_file, call, {file_info, Nam}) -> valid_nEmie(Nam) , ok; 
check(safe_file,call,{read_file,Nam}) -> valid_nEmie(Ncmi) , ok; 
check(safe_file,call,{rencmie,Fr,To}) -> valid_nEmie(Fr) , 

valid_nEmie(To) , ok; 

check(safe_file,call,{write_f ile,Nam,_}) -> valid_name(Nam) , ok; 
check(safe_file,info,_) -> ok; 

7o everything else is rejected 

check(Mod, Type , Msg) -> 

exit (policy _violation) . 

... code for valid_ncune/l omitted, which checks that 
. . . plain filenames only (no directories) are specified 

4.3 Creating a Node Implementing a Policy 

To create a new node which implements the policy in a policy module, a uti- 
lity function saf ety;policynode(Parent,Ncmie, Policy) has been created. Its 
current implementation is given below. 

7o7« policynode/3 - creates subnode which implements policy module 
7«7« in parent 

policynode (Parent, Name, Policy) -> 

7o establish various parameters from policy module 

PRi = apply (Policy, proc_rights, []) ,7. limit process rights 

Mods = apply (Policy , aliases ,[]) , 7. initial module alias table 
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Names = apply (Policy , init_servers ,[]) ,“/, start servers, get names 
°/o create new node with specified policy 

CN = newnode (Parent, Name, [{proc_rights,PRi},{names,Ncunes}, 
{modules ,Mods}] ) . 

The safety;policynode(Parent,NodeName,PolicyModule) function may 
be called as follows to create a custom subnode: 

PolNode = safety:policynode(node() ,testnode,safety_pol) . 

Once it has been created, processes in it may be spawned as usual, eg. a simple 
test function in the test module could be run as: 

spawn(PolNode, test, test, [] ) . 

So with this approach, a SSErl node with a custom policy may be created 
by writing an appropriate policy module, and then simply using policynode to 
instantiate it. 

4.4 An Example - Safej'pc 

This mechanism has also been used in the safe_rpc server. The server executes 
calls to it in a restricted subnode. The safe_rpc .policy module is similar to 
that shown except that no file server is provided, and the [extern] process right 
is granted, permitting messages to be sent outside the local node. This module 
is invoked and used by safe_rpc : start () as follows: 

RpcN = saf ety: policynode (node 0 ,rpc,safe_rpc_policy) , 

RpcNode = safety :restrictx(RpcN, [module, newnode] ) , 

Rpc = spawn (RpcNode , safe_rpc, loop, [] ) , 
register(safe_rpc, Rpc), 

{Rpc , RpcNode} ; 

In turn, the safe_rpc server itself may be subject to a policy check function, 
limiting its use. 

5 Limitations of the Prototype 

There are currently some limitations with the prototyped approach. 

The prime limitation is that not all ’’services” that one might wish to impose 
a policy upon, use the gen.server general server mechanism. Whilst it works 
for file and for rpc, other services such as: pxw, sockets ,unix do not. Work 
is progressing on the best approach to handling these. 

Also, the Safe Erlang system itself is only a prototype, proof of concept. 
It has shown that the proposed language extension does indeed seem capable 
of supporting a safe environment, but as it is implemented using a modified 
compiler as an additional layer above standard Erlang code, it cannot actually 
provide a completely safe system at present. This will require a new run-time 
system with internal support for the safety extensions. 

The general approach outlined does however, seem to function efficiently. 
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6 Conclusions 

This paper describes an approach to implementing a desired security policy by 
filtering RPC requests from untrusted (including mobile) code executing in a 
constrained environment to server processes which provide mediated access to 
resources outside that environment. This approach provides a simpler and cle- 
aner implementation, compared to other approaches. It differs from the Java 
approach in that it provides multiple execution environments, each with a po- 
tentially distinct policy imposed, rather than having one environment and policy 
which must handle all of the distinct cases required. It differs from both Java and 
SafeTCL in that the check is applied against RPC messages sent by code running 
in an untrusted node and received by trusted servers on which a policy has been 
imposed, rather then being incorporated in the API and being invoked on every 
call to the API. Its implementation in a functional language provides a clean 
and simple specification of the policy, which is then executed as the actual check 
function. The approach has been trialed using the SSErl safe Erlang prototype, 
where the code executes in a node whose constraints are specified using a policy 
module which includes a message check function to check all server messages. 
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Abstract. In this paper, we propose a new public key cryptosystem ba- 
sed on a probably subexponential time problem over a modular matrix 
ring. Our new cryptosystem is similar to GGH(0. Goldreich, S. Goldwas- 
ser, and S. Halevi) cryptosystem but the attack which breaks the GGH 
system is not applicable to ours. The security of the new construction is 
based on the computational difficulty of integer factorizations. 



1 Introduction 

The need for public key cryptosystem is spreading rapidly today as more 
people use computer networks. In the light of the importance of public key 
cryptosystem, there are relatively few proposals of public key cryptosystems 
which have received any attention. Among them, there were two lattice-based 
public key cryptosystems which were given wide attention: the Ajtai-Dwork 
cryptosystem[l] and the GGH cryptosystem [2]. Though the security base(the 
closest vector problem and the shortest vector problem) were NP-hard, they 
were completely broken since they had major flaws in the design of schemes. 

This paper proposes a public key cryptosystem which runs fast and has high 
level of security. Our encryption scheme is very similar to GGH cryptosystem 
but ours is not broken by the methods which break GGH. 

In 1997, O. Goldreich, S. Goldwasser and S. Halevi proposed a lattice-based 
public key cryptosystem based on the NP-hardness of GVP [2]. But in 1999, P. 
Nguyen broke it by observing that ciphertext leaked information on the plaintext 
and the decryption could be reduced to a special closest vector problem, which 
was much easier than the general problem[3]. 

The basic idea of our new cryptosystem starts from fixing the weakness of 
GGH, so appearance of our system is similar to GGH. But contrary to GGH, the 
security of our system is based on the RSA problems not on the lattice problems. 
Gomputational complexities for encryption and decryption are given as O(n^), 
where n is the dimension of the lattice. 

* This paper supported by Korea Information Security Agency(KISA) grant 99-S-087. 
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The rest of the paper is organized as follows: we first review necessary ma- 
terial about the lattice in section 2 and briefly describe the GGH[2] and P. 
Nguyen’s attack in order to compare with GGH[3]. In section 3, we introduce 
the new public key cryptosystem and in section 4, we suppose various analyses 
for the proposed scheme and describe conditions of parameters for the security of 
the proposed scheme. Section 5 presents the results of the computer simulation 
and the comparison with RSA. Lastly, we discuss how to improve the security 
of our system in section 6. 



2 Background on the New Scheme 

In the sequel, we denote vectors by bold-face lowercase letters(e.g. b, c, r) 
and use capital letters(e.g. B, C, R) to denote matrices or sets of vectors. 



2.1 Definitions 

Let i? be a non-singular nxn integral matrix. Denote by bi,---,b„ the 
column vectors of B. The lattice L spanned by (bi, • • • ,b„) is the set L{B) of 
all integral linear combinations of the b^’s. The set of b^’s is called a basis of L. 

There are two NP-hard problems in the lattice(The shortest vector problem 
(SVP)[4] and the closest vector problem(GVP)[5]). No polynomial-time algo- 
rithm is known for approximating these problems [6]. 



2.2 The GGH Cryptosystem 



We make a brief description of the GGH. The public key and the private key 
are two representations of the same lattice. A lattice L is generated by a reduced 
basis R, and then R, which is kept private, is transformed to a non-reduced basis 
B, which will be public. In GGH, the security parameter is (n, a) G A typical 
value is (n, cr) = (300,3). A message m G Z” is encrypted into c = Bm + e, 
where e is an error vector uniformly chosen from {— cr, cr}". A ciphertext c is 
decrypted as B~^ R[R~^c] , where denotes the vector in Z" which is 

obtained by rounding each entry in R~^c to the nearest integer. 



Theorem 1 Let R be a private basis and denote the maximum loo norm of the 
columns in R~^ by Then the probability of decryption errors is bounded 

by 



Prfdecryption error using RJ < 2n- exp{— 



1 

Scr^y^ 



) 



Proof See [2]. 

This theorem implies that the GGH is decrypted without errors with high 
probability. 
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2.3 Phong Nguyen’s Attack 

As seen above subsection, GGH has a typical type of error vector which 
is much smaller than lattice vector. Let s = (a, - ■ ■ , G Z". Then e + s = 

0 (mod 2(t), so that: 

e + s = Bm (mod 2 ct) 

Therefore the attack on GGH scheme is reduced to the general problem of solving 
a modular linear system. For any ciphertext c, the underlying linear system has 
very few solutions. Thus, the GGH is far from being semantically secure. If one 
gets the plaintext m mod 2 ct i.e.,m 2 cr(it’s possible with high probability), this 
partial information simplifies the decryption problem as follows; 



c = 

c - Hni 2 a = 

C—Bm2cr _ 

2(7 ~ 



Bm + e 

B(m - ni2o-) + e 
Bm' 



2<t> 



where m' G Z” such that m — ni 2 cr = 2crm'. The error vector ^ G {i^}” 
is much smaller than previous one. This means that the problem of decryp- 
ting ciphertexts could be reduced to the simpler GVP. Applying BKZ reduction 
algorithm)?], an attacker can find the error vector used in the encryption process. 



3 The Proposed Public Key Cryptosystem 

J. proposed scheme 

Let n be the dimension of a lattice. The basic steps to choose parameters run as 

follows: 

Cl choose positive integers m, e, da, 1 < i < n, primes p, q with size 512 bits 
and matrix D G Mat„(Z) with following conditions; 

Cl.l N = p ■ q. 

C1.2 m, e : random integers such that m « q^ '^, e « q^'^ , where m and e 
are upper bounds of message and error vectors, respectively. 

Cl. 3 D : diagonal matrix such that m < \du\ < where da, 1 < i < n are 
diagonal entries of D. 

C2 choose an invertible matrix T = (t^ )i<i j<n G Mat„(Z) such that < 

C3 R = D ■ T. We can sure that m + n ■ loo{R) ■ e < q, where lao{R) = 
maxi<i_ i<n{ky|} if i?= (rij). 

C4 B = Bq ■ U ■ L (mod N) where Bq = R~^ (mod q), L(resp. U) G Mat„(Z) is 
a unimodular lower( resp. upper) triangular matrix whose all entries except 
the diagonal entries are multiples of q. 

public information: B, e, m, N 

secret information: R, q, T 
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2. encryption 



Let M = (toi, • • • , mnY, 0 < < m, be a message vector and E = (ei, • • • , e„)‘, 

0 < e* < e, be an arbitrary error vector. Then the ciphertext is 

C = B-M + E (mod TV). 



3. decryption 



At first, compute X = {xi, - ■ ■ , 

Cq = C (mod q) 

X = R ■ Cq (mod q) . 

Then mi = Xi (mod du)i<i<n by the above conditions. The mathematical proof 
of the decryption procedure is as follows: 

C = B-M + E 

= {Bq ■ U ■ L) ■ M + E (mod q) 

= Bq ■ M + E (mod q) 

R-C = R-{B-M + E) 

= R ■ {Bq ■ M + E) (mod q) 

= R - {Bq - M) + R - E 
= {R - Bq) ■ M + R - E 
= M + R - E (mod q) 

= M + {D-T)-E by C3 
= (mi (mod dii))i<i<„ by C3 
= M by Cl. 

4- example of encryption and decryption 



Choose q = 10570841 and p = 10570837. Then N = 111742637163917. 

^612 0 0 0 

0 681 0 0 

0 0 697 0 

Vo 0 0 601, 



And let m = 500, e = 128, D = 



and 



/5 2 3 7\ 
4 3 12 1 
4 7 13 
V2 3 4 9/ 



T = 
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Then R= D-T = 



keys. 

Next, choose 



/3060 


1224 


1836 


4284 


2724 


2043 


681 


1362 


2788 


4879 


697 


2091 


Vl202 


1803 


2404 


5409 



where q, T, and R are private 



/I 


-10570841 


10570841 


-10570841 


0 


1 


10570841 


-10570841 


0 


0 


1 


10570841 


Vo 


0 


0 


1 




/ 1 
10570841 
10570841 
V -10570841 



0 0 0 \ 

1 0 0 I 

-10570841 1 0 

10570841 10570841 1 / 



Since Bg = R ^ (mod q) and B = Bg ■ L ■ U, then 



/ 5930539 -5555340 -7048431 411521 \ 

-694743 5015501 -1757594 10308964 | 

4516652 3013095 -1811759 -2955469 

V -7791869 8794374 1782871 -9523333/ 



/ 53157646921444 21634362201988 29648146983520 33268625202608\ 

^ 59321909946061 30416246925353 9377930406397 47489354938849 

“ 7621834577836 8990344720980 100334213765523 12995059581902 ’ 

\ 104368674961473 65200385256960 54666820601664 8249115384473 / 

where m, e, n = 4, and B are public keys. 



/151X 




/IIU 


81 


and E = 


82 


259 


120 


V462/ 




Vl09/ 



In this case, ciphertexts are 



/ 87570246808078 \ 
32646467360507 | 
11374775095066 
V 12518598246761/ 



Decryption of ciphertexts is as follows: 



/3060 


1224 


1836 


4284 \ 




/ 4613066 \ 


2724 


2043 


681 


1362 




10558157 1 


2788 


4879 


697 


2091 




495334 


Vl202 


1803 


2404 


5409/ 




V 5796624 / 



(mod 10570841) 



/ 1127455 \ 
700149 I 
1021364 
V 1159791/ 



(mod 10570841) 
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/ 151 (mod 612) \ 
81 (mod 681) | 
259 (mod 697) 
\462 (mod 601)/ 



With these procedures, we get a plaintext M. 



4 Security Analysis 

In this section we provide some analyses for the security of the proposed 
scheme by considering several possible attacks and describe conditions for secu- 
rity parameters of the proposed scheme. 

1. brute-force attack 

We do an exhaustive search for the message vector M and the error vector 
E. Choose an arbitrary vector M' and then let E' = (e^, • • • , e(,)‘ = C — B ■ 
M' (mod N). Recall that e « « 2^®^. If e'^ < 2^®^ for all 1 < i < n, we can 

accept M' as a message vector with high probability. But the number of possible 
message vectors is m” « (q°'^)" « so it’s impossible to find a message vec- 

tor by brute-force attack. Alternatively choose a random error vector E' . Since 
the error bound e is larger than the message bound, it’s also impossible to find 
the error vector by exhaustive search. 

2. application of the BKZ-reduction algorithm 

The BKZ-reduction algorithm is the most efficient algorithm to solve SVP 
[7]. As we know, this algorithm can be applicable to the normed spaces. Since 
our scheme is encrypted by modular operations, this algorithm is not applicable 
to find error vectors. But even if our space is a normed space, the BKZ-reduction 
can not break our system as our error vector is much larger than that of GGH. 

3. factorization of N 

If q is revealed, one can find Bq and D, so our system can be totally broken. 
But integer factorization is computationally difficult. Hence there is no way to 
find q. 

4- randomness of an inverse matrix modulo q 

If n random elements oi , • • • , a„ are given, the probability of GCD{ai , • • • , a„) 
= p is (1/p)". Since row of i? is a multiple of da and Bq is the inverse of 
R (mod q), Bq is possible to leak any information about da for some i. We tested 
whether GCDs of all components of each row in Bq might reveal the information 
of da for some i or not. Our simulation shows that GGDs of all components of 
in Bq are almost 1 with high probability if n is greater than 12. Hence there is 
no way to get an information of da or tij from B. 
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5 Results of a Computer Simulation 

In this section, we show results of our computer simulation. Until now, the 
security of our system based on integer factorization problems, so we compare 
the efficiency with RSA. The parameters of the proposed scheme is same as 
those of section 3. One matrix-vector multiplication and one vector addition are 
needed to encrypt and one matrix multiplication and n modular reductions are 
needed to decrypt, so the complexities of encryption and decryption are 0(ji^). 
In RSA scheme, we set sizes of two large primes p, q to 512 bits. 





Encryption 


Decryption 


Platform 


Data Size(bits) 


RSA 


0.13sec 


0.19sec 


Penll, 333MHz 


1,024 


Proposed System(n=10) 


O.Olsec 


O.Olsec 


Penll, 350MHz 


2,048 


Proposed System(n=30) 


0.09sec 


O.lSsec 


Penll, 350MHz 


6,144 


Proposed System(n=50) 


0.27sec 


0.43sec 


Penll, 350MHz 


10,240 



Average running time of encryption and decryption 



Simulation under above settings shows that running speed of the proposed 
scheme is faster than RSA in encryption and decryption. 

Remark We implemented the simulation by C-language and this is not opti- 
mal. 

6 Conclusion and Further Research 

We proposed a new type of public key cryptosystem. For security parameters 
n, I where n is the dimension of a public matrix and I is the bit length oi N = p q, 
the public key size of the new scheme is 0(ji^ ■ 1) and the computation time is 
0{n^ ■ P), where the public key size of the Fbit RSA is I and computation time 
is 0{P). The further research is; as other systems using a matrix as a public 
key, the public key size of our system is large, so a major improvement to reduce 
the public key size is needed to be practical system. And we are studying the 
difficulty of solving the modular equations since it makes the security basis of 
our system to be substantial. 
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Abstract. A design of secure and efficient public key encryption sche- 
mes under weaker computational assumptions has been regarded as an 
important and challenging task. As far as the ElGamal-type encryption 
is concerned, some variants of the original ElGamal encryption scheme 
whose security depends on weaker computational assumption have been 
proposed: Although the security of the original ElGamal encryption is 
based on the decisional Diffie-Hellman assumption (DDH-A), the security 
of a recent scheme, such as Pointcheval’s ElGamal encryption variant, is 
based on the weaker assumption, the computational Diffie-Hellman as- 
sumption (CDH-A). In this paper, we propose a length-saving ElGamal 
encryption variant whose security is based on GDH-A and analyze its 
security in the random oracle model. The proposed scheme is length- 
efficient which provides a shorter ciphertext than that of Pointcheval’s 
scheme and provably secure against the chosen-ciphertext attack. 



1 Introduction 

1.1 Encryption Schemes Based on Diffie-Hellman Assumption 

Ever since Diffie and Heilman [9] originally proposed the concept of public-key 
cryptosystem, extensive research has been performed in this field. In particular, 
the public-key encryption scheme proposed by ElGamal [10] has attracted con- 
siderable attention. When ElGamal proposed his public-key encryption scheme, 
it was widely believed that the security of this scheme is based on the compu- 
tational assumption called “Diffie-Hellman assumption” . Roughly speaking, the 
Diffie-Hellman assumption says that for a cyclic group G, an adversary who sees 
and cannot efficiently compute g^^ . Often, G is defined as a multiplicative 
group of a large prime modulo p, i.e., Z* where is a generator and x,y G Zq. 
Note here that g is a large prime such that q\p — 1. 

It may be true that the security of ElGamal encryption scheme depends on 
the Diffie-Hellman assumption since an adversary attacking this scheme cannot 
decrypt a ciphertext {g^ ,mg^^) of a message m without computing g^^. Ho- 
wever, indistinguishability [12], which has been accepted as a general security 
notion of encryption schemes, does not require an attacker to decrypt the whole 
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message. In the notion of indistinguishability, security of encryption scheme im- 
plies that an adversary cannot distinguish ciphertexts of two messages chosen by 
him-or herself. Consequently, it seems that the security of ElGamal encryption 
should depend on some stronger assumption rather than the Diffie-Hellman as- 
sumption. In fact, Tsiounis and Yung [14] showed that the security of ElGamal 
encryption scheme is not based on the Difhe-Hellman assumption but based on 
the stronger Decisional Diffie-Hellman assumption (DDH-A). DDH-A says that 
an adversary who sees two distributions {g^ , ,9^^) and {g^ , g'^,R), where i? is a 

randomly chosen-string whose length is the same as g^^, cannot distinguish these 
two distributions. Hence the Diffie-Hellman assumption is often called the com- 
putational Diffie-Hellman assumption (CDH-A) for the purpose of emphasizing 
an adversary’s inability to compute the Diffie-Hellman key, g^^ . Throughout this 
paper, we will use the term CDH-A to refer to the Diffie-Hellman assumption. 

1.2 Chosen Ciphertext Security 

Ever since Zheng and Seberry [15] initiated a full-scale research on adaptive 
chosen-ciphertext attacks, the design of public-key encryption schemes has tren- 
ded toward the prevention of these attacks. In the adaptive chosen-ciphertext 
attack, an adversary is permitted to access a decryption function as well as an 
encryption function. The adversary may use this decryption function on cipher- 
texts chosen after obtaining the challenge ciphertext, with the only restriction 
that the adversary may not ask for the decryption of the challenge ciphertext 
itself. 

Several security notions on the (adaptive or non-adaptive) chosen-ciphertext 
attack including non-malleability [8] were formalized and the relationship among 
them was shown in [3]. Public-key encryption schemes secure against the adap- 
tive chosen-ciphertext attack proposed so far include OAEP [5] (based on the 
RSA function), the Gramer-Shoup scheme [7] (based on the DDH-A), DHAES 
[1] (based on the hash Diffie-Hellman assumption (HDH-A)), and the Fujisaki- 
Okamoto(F-O) scheme [11] (based on the security of any semantically secure 
public-key encryption schemes). More recently, a general method for converting 
any partially trapdoor one-way function to the public-key encryption scheme 
that is secure against the chosen-ciphertext attack was proposed by Pointcheval 

[13]. 

The Gramer-Shoup scheme is said to be unique since it does not impose any 
ideal assumption on the underlying hash function as other schemes do. Although 
the use of the ideal hash function model, i.e., the random oracle model [4], is still 
controversial [6], this paradigm often yields much more efficient schemes than 
those in the standard model [2]. 

We note here that the underlying computational assumption of Gramer- 
Shoup scheme is DDH-A, which is much stronger than GDH-A, although the 
random oracle model is not used in this scheme. The situation remains the same 
in the ElGamal version of the F-0 scheme. However, underlying computational 
assumption of the ElGamal version of recent Pointcheval’s scheme is GDH-A, 
which is weaker than DDH-A. On the other hand, one deficiency of this scheme 
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is a message expansion. That is, to encrypt a message m, one must compute 
G(r) © (m||s)), where X{= g^) is a public key, r G Z* and 
s G 7jq are appropriate lengths of random strings. Here, both G and H are ran- 
dom oracles. Consequently, the lengths of a ciphertext is 1.5 times longer than 
that of the original ElGamal version of the F-0 scheme. 

Based on aforementioned discussions, we propose another ElGamal encryp- 
tion variant provably secure against chosen-ciphertext attack in the random 
oracle model. The underlying computational assumption of the proposed scheme 
is based on CDH-A, but the length of ciphertext is reduced compared with the 
Pointcheval’s scheme. 

The organization of this paper is as follows: We briefly review the notions 
of chosen-ciphertext security for public-key encryption schemes in Section 2. In 
Section 3, we describe the proposed scheme and analyze its security. In Section 
4, comparison of the proposed scheme with other ElGamal variants is provided 
and concluding remarks will follow in the final section. 



2 Notions of Security 

Although there are several security notions on the chosen-plaintext attacks and 
the chosen-ciphertext attacks, we briefly review two notions, the indistinguisha- 
bility-chosen plaintext attack (IND-GPA) [3,12] and the plaintext awareness 
(PA) [3,5]. 

Security against the chosen-plaintext attack for public-key encryption sche- 
mes is defined by using the following experiment: Let A be an adversary with 
two algorithms A\ and A 2 . The “find”-stage algorithm A\ is run on the public 
key, pk. At the end of Ai’s execution, it outputs a 3-tuple (mo, mi, s) where mo 
and mi are messages that have the same length and s is a state information. 
Then one of mo and mi is selected at random and ciphertext y is determined by 
encrypting nib {b Gr {0, 1}) under pk. The job of the “guess”-stage algorithm 
A 2 is to determine if y was selected as the encryption of mo or mi, namely to 
determine the bit b. If the probability that A 2 outputs b is negligible, we say 
that the public-key encryption scheme is secure in the sense of IND-GPA. Now, 
we formally define this experiment as follows: 

Definition 1 (IND-CPA). Let n = {ICjSjV) he a public-key encryption sche- 
me, where 1C, £,and T> denote a key generation algorithm, an encryption algo- 
rithm, and a decryption algorithm, respectively. Let A{Ai, A 2 ) he an adversary 
where A\ denotes a “find”-stage algorithm and A 2 denotes a “guess”-stage al- 
gorithm. Also, let (sk,pk) be a secret and public key pair and let s he a state 
information. Lf the advantage of A 

Adv]^^~^^^ = 2 • [{sk,pk) G- 1C; (mo, mi, s) Ai(find, s); b G- {0, 1}; 

y G- £pk{mb) ■■ A 2 {guess,pk,s,y) = 6] - 1 

is negligible, we say that LI is secure in the sense of IND-CPA. 
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The plaintext awareness (PA), first defined by Bellare and Rogaway [5], for- 
malizes an adversary’s inability to create the ciphertext y without “knowing” its 
corresponding plaintext x. 

We note that PA has only been defined in the random oracle model. An 
adversary B for PA is given a public key pk and access to the random oracle H . 
We also provide B with an oracle for The adversary outputs a ciphertext 
y. To be PA, the adversary B should necessarily know the decryption m of 
its output. To formalize this, it is required that there exists an algorithm K 
(knowledge extractor) that could have output m just by looking at the public 
key, B's iJ-queries and their answers, and the answers to B's queries to Sp/.. The 
following is a formal definition of PA. 

Definition 2 (PA). Let U = (/C,f,P) be a public-key encryption scheme, let B 
be an adversary, let hH = {{hi, Hi), (/12, H2 ), . . . , {hq^, , Hg^j)} be a list of all of 
B’s oracle queries, hi, /12, ■ ■ • 7 hq^, and the corresponding answers Hi, H2, ■ ■ ■ , 
Hqjj, and let K be a knowledge extractor. Let C = {j/i, j/27 • • • 7 J/q//} denote the 
answers(ciphertexts) as a result of Spj.- queries. For any k gN define 

Succ^K^^n = ^ Hash; {pk, sk) G- 1 C; {hH, C, y) G- : 

K{hH,C,y,pk) = Df|(j/)]. 

For y ^ C, we say that K is a \{k)- extractor if K has running time polynomial 
in the length of its inputs and for every B, Succ^^^ jj > \{k). We say that H 
is secure in the sense of PA if H is secure in the sense of LND-CPA and there 
exists a \{k) -extractor K where 1 — A(fc) is negligible. 

3 Secure Length-Saving ElGamal Encryption Variant 

3.1 Description of the Proposed Scheme 

Our motivation for constructing the public key encryption scheme whose security 
relies on CDH-A is to apply random oracle G to Diffie-Hellman key g^P . Since G is 
assumed to be a random oracle, G{g^P) does not reveal any (partial) information 
about g^P. Hence, to gain any advantage, the adversary must compute g^P . Also, 
to provide PA, we apply another random oracle H to message m concatenated 
by some random string s. This motivation leads to the proofs for the theorems 
provided later in this section. A concrete description of the proposed scheme H 
is as follows: 

Secure Length-saving ElGamal Encryption Variant H = {K.,S,'D) 

— Key generator JC 

{pk,sk) ^ Af(l*), pk = {p,q,g,X{= g^)) and sk = {p,q,g,x) where x Gr 

Zq, \p\ = k = kg -\- ki, and q\p — 1, a large prime number. 
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— Hash Function (two random oracles) 

H : {0, 1}'= ^ Z„ and G : Z* ^ {0, 1}'' 

— Encryption £ 

£pk{m,s) = {a, (3) = mod p, mod p) © (m||s)), where 

message m G {0, 1}^° and s t— /j {0, 1}*^ 

— Decryption T> 

r, ( _ / [/^ ® mod p)]'=“ if a = mod p)) 

sk[oi, ( e(null) otherwise 

where [(} © G{a^ mod p)]^° denotes the first fco bit of [(5 © G{a^ mod p)]. 

3.2 Security Analysis 

In this section, we show that our ElGamal encryption variant is secure in the 
sense of IND-CPA under CDH-A and there exists a knowledge extractor K. 

Note that the security in the sense of IND-CPA and the existence of a kno- 
wledge extractor mean the security in the sense of PA. By the result of [3], this 
implies security against the adaptive chosen-ciphertext attack (IND-CCA2) 

Theorem 1. If there exists an adversary attacking the encryption scheme II = 
(/C, £, T>) in a chosen-plaintext scenario, then we can construct an adversary that 
breaks CDH-A in the random oracle model with non-negligible probability. 

Proof. Let A = {Ax,A 2 ) be an adversary attacking H = {1C,£,V) in a chosen- 
plaintext scenario and e be an advantage of A. Recall that Ai denotes the “find”- 
stage algorithm and A 2 denotes the “guess”-stage algorithm. Assume that both 
G and H are random oracles. Our proving strategy is to use A to construct an 
adversary B that breaks CDH-A. Suppose that X{= g^) and Y{= g^) are given 
to B. B works as follows: 

— First give X, as a public key, to A and run A. When A\ makes any oracle 
query j to G, B chooses a random string in {0, 1}^ and answers it as G{j). 
Similarly, if A\ makes any oracle query j to H , B chooses a random string 
in Zq and answers it as H{j). A\ finally outputs two messages mo and mi. 
B then selects b G {0, 1} at random, takes a random string T in {0, 1}* for 
G(A^), and outputs {a, (3) = (F,T©(mh||s)) as aciphertext. Then it defines 
H{mb\\s) as y and G(A^) as /3 © (rnbUs). 

— The ciphertext {a, (3) is provided as an input to A 2 . Then, A 2 makes oracle 
queries and B answers as above. 

— When A 2 returns its answer d G {0,1}, B returns a set of all the oracle 
queries asked to G during the attack. 

Now let us define the following two events, AskG and AskH. 

— AskG'. The query X^ was made to G. 
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~ AskH: The query m||s for some messages m and s chosen at the beginning 
by B, is made to H. 

If SuccA is an event that A2 correctly guesses the bit b, i.e., outputs d = b, 
then the advantage of the adversary is defined by 2 • Pr[5'ucc^] — 1. But, if 
or (mh||s) has been already asked to G or H, respectively, the attacker succeeds 
in guessing the bit b. Hence, 2 • Pr[5'ucc^] — 1 > e. Since the adversary gains no 
advantage without AskG or AskH, we obtain 

1 VAAskGy AskH] 

Pr[S'ucc^] < - + — ^ ^ 

and this leads to Vv[AskG V AskH] > e. 

Furthermore, 

Vi[AskG V AskH] = Pr[HsfcG] + VT:[AskH A ^AskG] 

= Pr[HsfcG] + VT:[AskH]-^AskG]PT:[-^AskG] 

< Pr[HsfcG] +Vv[AskH]-^AskG] 

Yet, the probability that the event AskH takes place is very small provided that 
-•AskG is true. More precisely, 

Fr[AskH]^AskG] < 



Therefore, we have 



Pr[AskG]>e-^. 

This implies that the probability that lies in the set of all the oracle 
queries to G is greater than e — Hence if the advantage e of M is non- 
negligible, B breaks CDH-A with non-negligible probability. □ 

Now we construct a knowledge extractor K. Note that the existence of K 
implies security in the sense of PA under the assumption that H is secure in the 
sense of IND-CPA. 

Theorem 2. Let B be an adversary for PA. Then there exists a knowledge A(fc)- 
extractor K and hence H = {K.,£,'D) is secure in the sense of PA. 

Proof. Since we have shown that H is secure in the sense of IND-CPA, we only 
need to construct a knowledge-extractor K. Assume that gG = {(91, Gi),(g2, Gf), 

. . . ,{gq^,Gq^)}, hH = {{hi, Hi), {h2, H2), . . . , {hqjj , Hqj^)}{all the random ora- 
cle query-answer pairs of B), C = [yi,y2, ■ ■ ■ ,Ve}{& set of ciphertexts that B 
has obtained from the interaction with the random oracles and the encryption 
oracle), y = {a,(i) ^ G (a ciphertext produced by B which is not in G), and the 
public key X are given to K. The knowledge extractor K works as follows: 
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— For all qG and hH, K checks that there exists a pair (q„,hr) such that 

y = (a,/3) = {g^%Gq © hr). 

— If there exists one pair, K returns m = and s. Otherwise, outputs 

£(null). 

Next we think of the probability that K outputs the plaintext m correctly, 
namely m = T>sk{y). Let Fail be an event that m yf h)sk{y) and let AskG be 
an event that there exists a pair (gq,Gq) in the list gG such that y = {a, P) = 
{g^’',Gq © hr) for some {hr, Hr) in the list hH. Similarly, let AskH be an 
event that there exists a pair {hr, Hr) in the list hH such that y = {a,P) = 
{g^^,Gq © hr) for some {gq, Gq) in the list gG. Then, 

Pr[Fail] = Fr[Fail\AskG A A.skH]Pr[A.skG A AskH] + 

Pr[Fail\-'AskG V -'AskH]Pr[-iAskG V —•A.skH] 

< 0 + VT:[Fail\—'A.skG V —•A.skH]. 



We now determine the upper bound of Fv[Fail]-'AskG V -lAskH]. For valid y, 
there exist h and g such that y = {g^^^\G{g) © /i). As y ^ C, it follows that 
h yf F>{yi) for every yt € G. However, 



Pr[valid]-'AskG V -•AskH] 



Pr[valid A {-•AskG V -•AskH)] 
Pr[(-iAsA:G V -•AskH)] 



Pr[valid A -•AskH] Pr[valid A -•AskG A -•AskH] 
~ Pr[-^AskH] Pr[-iAsA:G] 

< Pr[valid]-^AskH] + Pr[valid]-^AskG] 

1 1 
- 2 '= 2G 



On the other hand, if -•AskG or -•AskH is true, from the construction of K, 
it always outputs e(null), i.e., y is invalid. This means that Pr[Fail]-^AskG V 
-•AskH] = Pr[valid]-^AskG V -•AskH] < ^ + Namely, the probability of 
rejection of valid ciphertext is upper-bounded by 1/2^ + l/2*b Consequently, 

\{k) = 1 - Pr[Fail] > 1 - ^ 

□ 

As mentioned before, we get the following corollary from Theorems 1 and 2. 
Corollary 1. The proposed scheme is secure in the sense of IND-CCA2. 

4 Comparison with Other Schemes 

We compare the length of ciphertext of the proposed scheme with the original 
ElGamal encryption scheme and other ElGamal-type encryption schemes such as 
ElGamal encryption variant of the F-0 scheme, and the Pointcheval’s ElGamal 
encryption variant. 

For comparison, we briefly describe how four schemes encrypt a message m. 
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• ElGamal scheme : 

• F-0 scheme : (^-^("‘11®), © (to||s)) 

• Pointcheval’s scheme : G(r) © (m||s)) 

• The proposed scheme : (g^(™H®), © (to||s)) 

We summarize the cryptographic characteristics of four schemes in Table 1. 



Table 1. Comparison with Other ElGamal Variants, where: k = |Z*|, RO = Ran- 
dom Oracle, E= Exponentiation, H= Random oracle computation. Comp, for Enc.= 
Computation for Encryption, Comp, for Dec.=Computation for Decryption 





ElGamal 


F-O 


Pointcheval 


Proposed scheme 


Length 


2k 


2k 


3fc 


2k 


Number of ROs 


None 


1 


2 


2 


Assumption 


DDH-A 


DDH-A 


CDH-A 


CDH-A 


Security 


IND-CPA 


IND-CCA2 


IND-CCA2 


IND-CCA2 


Comp, for Enc. 


2E 


2E+H 


2E+2H 


2E+2H 


Comp, for Dec. 


E 


2E+H 


2E+2H 


2E+2H 



As can be seen from the table, the proposed scheme guarantees sound security 
and length-efficiency. Under the CDH-A, it is secure in the sense of IND-CCA2. 
We now provide a more detailed explanation on the length of a ciphertext. In 
the F-0 scheme, the length of a ciphertext is 2k where k = |Z*|. A ciphertext 
of the proposed scheme has the same length as those of the original FlGamal 
scheme and the F-0 scheme, when the length of output of G, which is used as the 
random oracle, is set to k. In the Pointcheval’s scheme, the length of ciphertext is 
extended to 3k. Gompared with the Pointcheval’s scheme, the proposed scheme 
effectively reduces the length of a ciphertext under the same circumstances, i.e., 
the security of both schemes is based on GDH-A and two random oracles are 
used. Note that the message to ciphertext ratio of the original FlGamal scheme 
is the largest since no additional random string follows the message m being 
encrypted. However, as widely known, the original FlGamal scheme is insecure 
against chosen-ciphertext attack. The message to ciphertext ratios of other three 
schemes are the same. 

As also can be seen from the table, the computation cost required in the 
proposed scheme to encrypt and decrypt messages is estimated to be the same 
as that of the Pointcheval’s scheme. Note that we have omitted the computation 
required to generate public key. 

Finally, we mention about implementation of the random oracle G. To im- 
plement this function, one can use the heuristic method described in [4] and [5] 
as follows: 



G{xy) = gm,xy)\\g{{i),xy)\\g{{2),xy)\\..., 
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where g is an efficient cryptographic hash function such as SHA-1 or MD5 which 
outputs 160 bits or 128 bits, respectively, and the notation (i) denotes a binary 
32-bit word encoding of integer i. 

5 Concluding Remarks 

In this paper we have proposed another variant of the ElGamal encryption 
scheme. The security of the proposed scheme depends on CDH-A, which is much 
weaker than DDH-A. Moreover, the length of a ciphertext is reduced compared 
with the recent Pointcheval’s ElGamal variant, which is based on GDH-A. Also, 
the proposed scheme provides the same degree of computational efficiency as 
other proposed schemes. 

However, as done in other practical schemes, the random oracle model is em- 
ployed to provide provable security. A construction of “practical” public-key en- 
cryption schemes secure against active adversaries without random oracle other 
than the one in [7] is an interesting and meaningful future work. 

Acknowledgements. The authors would like to thank the anonymous referees 
for their helpful comments and Prof. Ben Lee at IGU for his proof reading of the 
final version of this paper. 
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Abstract. We introduce efficient algorithms for scalar multiplication 
on elliptic curves defined over IFp. The algorithms compute 2*^P directly 
from P, where P is a random point on an elliptic curve, without compu- 
ting the intermediate points, which is faster than k repeated doublings. 
Moreover, we apply the algorithms to scalar multiplication on elliptic 
curves, and analyze their computational complexity. As a result of their 
implementation with respect to affine (resp. weighted projective) coordi- 
nates, we achieved an increased performance factor of 1.45 (45%) (resp. 
1.15 (15%)) in the scalar multiplication of the elliptic curve of size 160- 
bit. 

Keywords. Elliptic Curve Cryptosystems, Scalar Multiplication, Win- 
dow Method, Coordinate System, Implementation 



1 Introduction 

Elliptic curve cryptosystems, which were suggested by Miller [Mi85] and Koblitz 
[Ko87], are now widely used in various security services. IEEE and other stan- 
dards bodies such as ANSI and ISO are in the process of standardizing elliptic 
curve cryptosystems. Therefore, it is very attractive to provide algorithms that 
allow efficient implementation [CM098,GP97,KT92,MOC97a,MOC97b,So97]D 

Encryption/decryption or signature generation/ verification schemes require 
computation of scalar multiplication. The computational performance of crypto- 
graphic protocols with elliptic curves strongly depends on the efficiency of scalar 
multiplication. Thus, fast scalar multiplication is essential for elliptic curve cryp- 
tosystems. In typical methods for scalar multiplication, an addition of two points 
and a doubling of a point, are calculated repeatedly, but the point doublings are 
quite costly. There are several ways to speed-up scalar multiplication, such as: 
(1) reducing the number of additions, (2) speeding-up doubling, and (3) using a 
mixed coordinate strategy [CM098] . Our contribution will deal with the second 
approach. 

One method to increase the speed of doublings is direct computation of several 
doublings, which computes 2^P directly from P G P(IFg), without computing 
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the intermediate points 2P, 2^P, • • • , 2^~^P. The concept of direct computation 
was first suggested by Guajardo and Paar in [GP97]. They formulated algorithms 
for direct computation of 4P, 8P and 16P on elliptic curves over lF 2 n in terms 
of affine coordinates. Recent related results include a formula for computing 4P 
on elliptic curves over Fp in affine coordinates by Miiller [Mu97] and a formula 
for computing 4P on elliptic curves over Fp in projective coordinates by Miyaji, 
Ono and Gohen [MOG97a]. These formulae are more efficient than repeated 
doublings. However, the known formulae work only with small /c (2, 3 or 4) and 
formulae in terms of weighted projective coordinates have not been given. One 
remarkable result was given by Gohen, Miyaji and Ono [GM098]. They used a 
redundant representation of points such as {X,Y,Z^aZ"^). With this represen- 
tation, point doubling can be accomplished with complexity 45 -|- 4M, where 
S and M denote a squaring and a multiplication in Fp respectively. Itoh et al. 
also gave a similar method for doubling [ITTTK98] . This representation is called 
modified jacohian coordinates [GM098]. We can use this coordinate system for 
direct computation of several doublings. However, addition of points in modified 
jacobian coordinates is relatively costly compared to weighted projective coor- 
dinates. Therefore, one possible strategy for efficient scalar multiplication is to 
mix several coordinate systems ( See [GM098] ). 

In this paper, we propose efficient algorithms for speeding-up elliptic curve 
cryptosystems with curves over Fp in terms of affine coordinates and weighted 
projective coordinates. We construct efficient formulae which compute 2^P di- 
rectly for V/c > 1. Our formulae compute 2^P directly from P G P(IFp) without 
computing the intermediate points 2P, 2^P, • • • , 2^~^P. In the case of affine co- 
ordinates, our formula has computational complexity (4k -I- 1)5-1- (4k + 2)M + d, 
where I denotes an inversion in Fp. This is more efficient than k repeated doub- 
lings, which requires k inversions. When implementing our direct computation 
method, experimental results show that computing 16P achieves a 90 percent 
performance increase over 4 doublings in affine coordinates. 

Moreover, we show a method of elliptic scalar multiplication that is combi- 
ned with our direct computation methods. This method is based on a sliding 
signed binary window method [KT92]. We also implement scalar multiplication 
and discuss the efficiency. Our implementation results show that in the case of 
affine (resp. weighted projective) coordinates, we achieved a 45scalar multipli- 
cation of the elliptic curve of size 160-bit. Moreover, our implementation with 
the new method shows that when log 2 p is relatively large (384 or larger) , scalar 
multiplication in affine coordinates can be faster than in weighted projective 
coordinates. 

The algorithms proposed in this paper do not depend on specific curve para- 
meters. Therefore, our methods can be applied to any elliptic curve defined over 

Fp. 

2 Previous Work 

In this section, we summarize known algorithms for point doubling and direct 
computation of several doublings. 
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Throughout this paper, we will use the following notations. Let IFp denote a 
prime finite field with p elements. We consider an elliptic curve E given by 

E -.Y"^ = + aX + b (a, 6 G Fp, p > 3, 4a^ + 276^ yf 0) 

Let Pi = (xi,yi) and P 2 k = 2^Pi = (x 2 k,y 2 k) G P(Fp). Let S, M and I 
denote a squaring, a multiplication and an inversion in Fp, respectively. When 
we estimate computational efficiency, we will ignore the cost of a field addition, 
as well as the cost of multiplication by small constants. 



2.1 Point Doubling 

In terms of affine coordinates, point doubling can be accomplished as follows: 
Assume Pi = (xi,t/i) yf O, where O denotes the point at infinity. The point 
P 2 = (x 2 ,y 2 ) = 2Pi can be computed as follows: 

X2 = — 2xi 

i/2 = (xi - X2)X- yi , . 

3xf + a ^ 

The formulae above have computational complexity 2S + 2M + I [IEEE] . 

In terms of weighted projective coordinates, doubling can be accomplished 
as follows. Assume Pi = (Xi,Yi, Zi) ^ O, The point P 2 = {X 2 ,Y 2 , Z 2 ) = 2Pi 
can be computed as follows. 



X2 = M^ - 2S 
Y 2 = M{S -X2)-T 

Z 2 = 2FiZi 

M = 3X1 + aZf ^ ’ 

S = 4XiY^ 

T = 8Y^ 

In cases of general curves, the formulae above have computational complexity 
6S' + 4M [IEEE]. 



2.2 Direct Doubling 

The concept of using direct computation of 2^P for efficient elliptic scalar multi- 
plication was first proposed by Guajardo and Paar in [GP97]. They formulated 
algorithms for computing 4P, 8P or 16P on elliptic curves over F 2 " in terms of 
affine coordinates. In recent years, several authors have written methods to com- 
pute 2^P directly ( but limited to small k ). The following section summarizes 
previous work on direct computation of several doublings. 

1. Guajardo and Paar [GP97] proposed formulae for computing 4P, 8P and 
16P on elliptic curves over F 2 " in terms of affine coordinates. 
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2. Miiller [Mu97] proposed a formula for computing AP on elliptic curves over 
IFp in terms of affine coordinates. 

3. Miyaji, Ono and Cohen [MOC97a] proposed a formula for computing AP on 
elliptic curves over IFj, in terms of projective coordinates. 

4. Han and Tan [HT99] proposed formulae for computing 3P, 5P, 6P and IP, 
etc, on elliptic curves over IF 2 n in terms of affine coordinates. 

The formulae above can efficiently compute 2^P compared to computing k 
doublings. However, the formulae listed below have not been explicitly given. 

1. General ( i.e., V/c > 1 ) formulae for direct computations in elliptic curves 
over IFp in terms of affine coordinates. 

2. Formulae for direct computations in terms of weighted projective coordina- 
tes. 

In later sections, we will formulate the above algorithms, and analyze their 
computational complexity. In the case of k = 2, i.e., 4P, on elliptic curves over IFj, 
in affine coordinates, our algorithms are more efficient than Muller’s algorithm. 

We should remark that the algorithm proposed by Cohen, Miyaji and Ono 
in [CM098] can be efficiently used for direct computation of several doublings. 
The authors call their algorithm a “modified jacohiarf coordinate system. The 
coordinate system uses (redundant) mixed representation, e.g., {X,Y, Z,aZ'^). 
Doubling in terms of the modified jacobian coordinates has computational ad- 
vantages over weighted projective (jacobian) coordinates. 

3 Direct Computations of 2^P in AfRne Coordinates 

In this section, we provide formulae for direct computation of 2^P, where Vfc > 1, 
in terms of affine coordinates. In the next section, we will show formulae in terms 
of weighted projective coordinates and discuss their computational efficiency. 

In the case of affine coordinates, direct computation of several doublings may 
be significantly more efficient, as suggested in [GP97], because we can construct 
formulae that require only one modular inversion, as opposed to the k inversions 
that k separate doubling operations would require for computing 2*P. 

Modular inversion is generally more expensive than modular multiplication 
[WMPW98]. Therefore, direct computation of several doublings may be effective 
in elliptic scalar multiplication in terms of affine coordinates. 

3.1 Doubling 

We begin by showing doubling formulae with the purpose of constructing for- 
mulae for general (i.e., Vfc > 1) cases. 

Let 

Ai = xi 
Bi = 3xf + a 
Cl = -yi 

Di = 12AiCl - bI 




Efficient Scalar Multiplications on Elliptic Curves 



63 



Then the doubled point P 2 = {x 2 ,y 2 ) of P\ = {xi,yi) can be computed as 
follows. 



Bl - 

(2Ci)2 

8Cf - BiDi 
(2Ci)3 



( 3 ) 



Note that although the denominator of X 2 differs from that of y 2 , the formulae 
above require only one inversion if we multiply the numerator of X 2 by 2Ci. 

The formulae have computational complexity 45' + 6M + I. On the other 
hand, the formulae (1) have complexity 65 + 4M + I. Therefore, it is clear that 
the formulae given in this subsection are inefficient. (We show the above formulae 
only for the purpose of constructing formulae for fc > 1, as stated previously.) 



3.2 Computing 4P 



In affine coordinates, quadrupling a point can be accomplished by the following: 



A 2 = Bl - 8^1 
B 2 = 5Al + l6aCt 
C 2 = -8Cf - Bi{A 2 - 4AiCl) 
D2 = I2A2CI - Bl 
Bl - 8A2CI 
(4CiC2)2 
8 Ci - B2D2 
~ (4CiC2)3 



( 4 ) 



where P 4 = ( 0 : 4 , 2 / 4 ) = 4Pi = 4(a;i,yi). 

The formulae have computational complexity 95+lOM + I. Muller’s formula 
[Mu97] has complexity 75 + 14M + I. Therefore, our formula, above, is clearly 
more efficient. Moreover, we will show in a later section that computing 4P 
by the formula given in this section has less complexity than computing two 
separate doublings by (1). 



3.3 Computing 8P 

In affine coordinates, computing Pg = = 8P1 = 8(a;i,2/i) can be accom- 

plished by the following: 

As = Bl- 8 A 2 CI 
Bs = 8 Al + 256aCfCi 
C3 = -8Cl - B2 (As - 4 A 2 CI) 

Ds = 12AsCl - Bl 
Bl - 8 A 3 CI 

" (8CiC2C3)2 
8 Cl - BsDs 
(8CiC2C3)3 



2/8 = 



( 5 ) 
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These formulae have computational complexity IBS' + 14M + I. We will later 
show that computing 8P by the formulae given in this section has less complexity 
than computing three separate doublings by (1). 



3.4 Computing 16P 

In affine coordinates, computing Piq = (xie^yie) = 16Pi 
accomplished by the following: 

A^ = Bl- SA^Ci 

Bi = 3Al + 4096aC4C|C| 

C4 = -8C| - 53(^4 - 4 A 3 CI) 
£>4 = I 2 A 4 CI - Bl 
Bl- 8AiCl 

(16CiC2C3C4)2 

8C| - B4£>4 

“ (16CiC2C3C4)3 



16(xi, j/i) can be 



(6) 



The formulae have computational complexity IIS' + 18M + 1. We will show in a 
later section that computing 16P by the formulae given in this section has less 
complexity than computing four separate doublings by (1). 



3.5 The Formulae for Computing 2^P in AfRue Coordinates 

From the formulae, which compute AP, 8P or 16P, given in the previous subsec- 
tions, we can easily obtain general formulae that allow direct doubling P 1 — >■ 2^P, 
where fc > 1. The figure shown below describes these formulae, and their com- 
putational complexity is given as Theorem 1. 



Algorithm 1: Direct computation of 2^P in affine coordinates, where fc > 1 
and P € E(lFp). 

INPUT: Pi = (xi,yi) € E(lFp) 

OUTPUT : P2^ = = (x2»= , 2 / 2 -= ) G 

Step 1. Compute Ai, Bi and Ci 

Ai = xi 
Bl = 3x1 + ® 

Cl = -yi 

For i from 2 to fc compute Ai, Bi and Ci 

A, = Bf_i - 8A,_iCf_i 

i-1 

B, = 3A2 + 16*-ia(]^ Cj)^ 
j=i 

a = -8Cf_i - - 4A,_lC^l) 



Step 2. 
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Step 3. 


Compute Dk 




Dk 


Step 4. 


Compute X 2 k and j/ 2 '^ 



X2k 



J/2^ 



12AkCl - Bl 



Bl - 8A,Cl 

8Cj - BkPk 

(<.-nLa)’ 



Theorem 1. In terms of affine coordinates, there exists an algorithm that com- 
putes 2^P in at most 4fc + 1 squarings, 4k 2 multiplications, and one inversion 
in Fp for any point P € B(IFp). 

Proof It is easy to prove by induction on k. □ 

It should be noted that the point Pi has to be an element with an order larger 
than 2^. This requirement ensures that 2^P will never equal O. 

3.6 Complexity Comparison 

In this subsection, we compare the computational complexity of a direct doubling 
of 2^P given in the previous subsection and separate k repeated doublings. The 
complexity of a doubling is estimated based on the algorithm given in [IEEE]. 
Table 1 shows the number of squarings S, multiplications M , and inversions 
I in Fp. We should point out that our method reduces inversions at the cost 
of increased multiplications. Therefore, the performance of the new formulae 
depends on the cost factor of one inversion relative to one multiplication. For 
this purpose we introduce, as in [GP97], the notation of a “break-even point’ . It is 
possible to express the time that it takes to perform one inversion in terms of the 
equivalent number of multiplications needed per inversion. In this comparison, 
we assume that one squaring has complexity S = 0.8M. We also assume that 
the cost of field addition and multiplication by small constants can be ignored. 

As we can see from Table 1, if a field inversion has complexity I > lOM, one 
quadrupling may be more efficient than two separate doublings. In cases that 
Fp has a size of 160-bit or larger, it is extremely likely that / > lOM in many 
implementations (i.e., [CM098,WMPW98]). Moreover, in cases of fc > 2, our 
direct computation method may be more efficient than individual doublings in 
most implementations. 

4 Direct Computation of 2^P in Weighted Projective 
Coordinates 

In this section, we provide formulae for direct computation of 2^P in terms of 
weighted projective coordinates and discuss the computational efficiency. 
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Table 1. Complexity comparison 



Calculation 


Method 


Complexity 


Break-Even Point 






S 


M 


I 




4P 


Direct Doublings 


9 


10 


1 


lOM < / 




Separate 2 Doublings 


4 


4 


2 




8P 


Direct Doublings 


13 


14 


1 


7.2M < I 




Separate 3 Doublings 


6 


6 


3 




16P 


Direct Doublings 


17 


18 


1 


5.7M < I 




Separate 4 Doublings 


8 


8 


4 




2kp 


Direct Doublings 


4fc-P 1 


4fc-P2|l 


3.6k+2.S^ < / 




Separate k Doublings 


2k 


2k 


k 





4.1 General Formulae for Computing 2^P in Weighted Projective 
Coordinates 

In cases where field inversions are significantly more expensive than multiplica- 
tions, it is preferable to use weighted projective coordinates (also referred to as 
Jacobian coordinates), where a triplet (X,Y,Z) corresponds to the affine coor- 
dinates (X / Z'^ ,Y / Z^) whenever Z 0. 

From Algorithm 1, we can immediately derive formulae for direct compu- 
tation of 2*P in terms of weighted projective coordinates. The computational 
complexity of Algorithm 2 is given as Theorem 2. 

Algorithm 2: Direct computation of 2*P in weighted projective coordinates, 
where A: > 1 and P G A(Fp). 

INPUT: Pi = (Ai,Yi,Zi) G P(Fp) 

OUTPUT : P2k = {X2k , Y2k , Z 2 O = 2'^Pi G P(Fp) 

Step 0. Mapping: (Ai,yi,Zi) {X[,Y(,1) 

( if Zi = 0 terminate with P 2 k = O ) 

Step 1. Compute Ai, Bi and Ci 

Ai=X{ 

Bi = -P a 
Cl = -Y( 

Step 2. For i from 2 to fc compute Ai, Bi and Ci 

A, = Bf_i - 8A,_iCf_i 

i-1 

B, = 3A2 + 16*-ia(]^ Cj)^ 

j=i 

a = -8Cf_, - B,-i{A, - 4A,_lC^l) 
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Step 3 . Compute Dj^ 



Dk = l2AkCl - Bl 



Step 4. Compute X 2 k, Y 2 k and Z 2 k 



X2k = Bl - SAkCl 
Y2k = set - BkDk 

k 

Z2k = k Ci 



Theorem 2. In terms of weighted projective coordinates, there exists an algo- 
rithm that computes 2^P in at most 4fc + 1 squarings, 4/c — 1 multiplications 
in Fp, except Step 0, for any point P G Fp. In particular, doublings can he 
computed with 4 squarings and 2 multiplications in Fp. 

Proof It is easy to prove by induction on k. □ 

Algorithm 2 does not require the following three multiplications, which Algo- 
rithm 1 (in affine coordinates) requires: 

1. multiplication x by k Hi=i C'i 

2. multiplication x by the inversion 

3. multiplication y by the inversion 

4.2 Quadrupling 

In Algorithm 3, which follows, we describe formulae for computing 4P directly in 
terms of weighted projective coordinates. The algorithm does not require Step 
0 in Algorithm 2. 
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Algorithm 3: Computing AP in weighted projective coordinates 

INPUT: Pi = {Xi,Yi,Zi) G E{Wp) 

OUTPUT: P4 = {X4, 14, Z4) = 4 Pi G E(Fp) 

Step 1 . Compute A, B, C and D 

A = 2,Xl + aZl 

B = A]- 8AiY]2 

C = + Aj{l2XiY^ - A^) 

D = IQaY^Zl + 

Step 2. Compute X4, Y4 and Z4 

X4 = -8BC^ + 

Y4 = -8C^ + D(12BC^ - D^) 

Z4 = 4 Y 1 Z 1 C 



The algorithm above has computational complexity IQS' + 9M. 

As we have stated before, if a modified Jacobian representation (X, Y, Z, aZ^) 
is used, a point doubling can be accomplished with complexity AS+AM [CM098]. 
Therefore, a quadrupling can be accomplished with complexity 8S + 8M . Itoh 
et al. also gave a way to quadruplicate with complexity 8S + 8M [ITTTK98]. 
However, in modified Jacobian coordinates, the formulae for addition of points 
that have complexity 6S'+13M are more costly than those in weighted projective 
coordinates. One optimal way to speed-up scalar multiplication is to mix mo- 
dified Jacobian coordinates with projective, weighted projective, or Chudnovsky 
Jacobian coordinates [CC86,CM098]. 

5 Scalar Multiplication with Direct Computation of 2^P 

By using our previous formulae for direct computation of 2^P, we can improve el- 
liptic scalar multiplication with the sliding signed binary window method [Go98, 
KT92]. For example we apply our new formulae to the window method with 
windows of length 4. We represent a scalar m in P 1 — >■ mP with a nonadja- 
cent form (NAF) For example, m = (1101110111)2 will be represented as 
m' = (lOOiOOOiOOi)iVyiF, where 1 denotes -1. 

^ Koyama and Tsuruoka pointed out that NAF is not necessarily the optimal re- 
presentation to use [Go98,KT92]. Although it has minimal weight, allowing a few 
adjacent nonzeros may increase the length of zero runs, which, in turn, reduces the 
total number of multiplies. Their method may be useful for our scalar multiplication 
with direct computations of 2*^P. 
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Algorithm 4 describes scalar multiplication on elliptic curves using our direct 
computations of 2^P in the case of k up to 4. 



Algorithm 4: Elliptic scalar multiplication using our direct computation of 
2^P in the case of fc up to 4 



INPUT : 


P G P(Fp), m & 2Z 


OUTPUT ; 


mP G P(Fp) 


Step 1 . 


Construct NAF representation 




w = (ctCt-i • • • e\eo)NAF, 




e-i G {—1, 0, 1} 


Step 2. 


Precomputation 



2.1 Pq^6P 

2 . 2 For i from 7 to 10 do: 



Pi "i— Pi-1 + P 

Step 3. Pm t i — t 

Step 4. While z > 0 do the following: 

4.1 If Ci = 0 then: 

find the longest bitstring CiCi-i • • • e; such that Cj = Ci-i = • • • e; = 0, 
and do the following 



i -i— I — 1 

4.2 else (cj ^ 0): 

If {eiei_ie^_2ei-3)NAF > 0 then: 

Pm ^ 16Pm + P(eiei-iei-2ei-3)NAF 
else: 



Pm IbPm P\{eiei-iei-2ei-3)NAF\ 

z z — 4 

Step 5 . Return P^ 



In Algorithm 4, we compute 16P directly from P in each window instead of 
4 separate doublings. In Step 4. 1 with strings of zero-runs in the scalar mpfAPi 
we should choose computations 16P, 8P, 4P or 2P optimally. This can be done 
with rules such as: 1) If a length of zero equals to 4, we compute 16P. 2) If a 
length of zero equals to 3, we compute 8P, and so on. 

Using our algorithms for scalar multiplication, many of the doublings in an 
ordinary window method will be replaced by the direct computation of 16P. 
Therefore, if one computation of 16P is relatively faster than four doublings, 
scalar multiplication with our method may be significantly improved. We will 
examine this improvement by real implementation in the next section. 

6 Implementation 

In this section, we implement our previous methods. We implement 6 elliptic 
curves over Fp with log 2 P = 160, 192, 224, 256, 384 or 521. We call these curves 
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P160, P192, P224, P256, P384 or P521, respectively. Their parameters can be 
found in A, and they all have prime order. Moreover, the coefficients a of the 
curves are chosen as equal to 1 or -3 for efficient implementation. However, in 
our implementation, for the purpose of making comparison with general curves, 
we apply general algorithms that do not depend on a parameter a. 

The platform was a Pentium II 400MHz, Windows NT 4.0 and Watcom 
II.O. Programs were written in assembly language for multi-precision integer 
operations, which may be time critical in implementation, or in ANSI C language 
for other operations. 

6.1 Inversion 

We applied Lehmer’s method [Le 38] to modular inversion. In affine coordinate 
computations, modular inversion in IFp is more expensive than modular mul- 
tiplication. Therefore, it is important to apply an efficient method to modular 
inversion. 

Remark 1. We applied Lehmer’s method to field inversion in our implementa- 
tion. Although several methods of inversion have been developed, it is not clear 
which method delivers the most practical speed increase for the range of integers 
that interests us ( up to 521-hit ). If we have an efficient method for inversion, 
elliptic curve cryptosystems with affine coordinates may he faster than those with 
projective or weighted projective coordinates. 

In our implementation, the speed ratio of a multiplication to an inversion 
I/M is approximately equal to 25 in cases of log 2 P = 160. Our I/M tends to 
decrease with larger log 2 p. 

6.2 Number of 2^P Computations in the Window Method 

Table 2 shows the number of computations of 2^P and additions required in the 
sliding signed binary window method based on Algorithm 4. Typical window 
sizes of 2 and 4 were used. The numbers were counted by our implementation. 
In the case of a window of length 2, direct computations of 4P can be used. In 
the case of a window of length 4, direct computations of 4P, 8P and 16P can 
be used. 

We can see from the table that: 1) With direct computations of up to 16P, 
the computational efficiency of 16P significantly affects scalar multiplication. 
2) With direct computations of up to 4P, the computational efficiency of 4P 
significantly affects scalar multiplication. 

6.3 Timings 

Table 3 shows timings of point additions and direct computations of 2^P in 
our implementation. Table 4 shows timings of scalar multiplication. In Table 4, 
‘‘‘'traditional ” means a sliding signed binary window method using addition and 
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Table 2. Number of computations of 2^P, where fc = 1, 2, 3 or 4, and additions in the 
sliding signed binary window method with window length 2 or 4 



Curves 


Add. 


Window of length 4 I 


Window of length 2|| 


2P 


4P 


8P 


16P 


2P 


4P 


P160 


36.82 


14.93 


4.99 


2.58 


31.75 


17.51 


71.07 


P192 


37.63 


15.29 


5.06 


2.64 


39.54 


17.93 


86.78 


P224 


37.77 


15.31 


5.05 


2.69 


47.49 


18.00 


102.72 


P256 


41.77 


15.31 


5.06 


2.70 


55.53 


18.01 


118.82 


P384 


48.76 


17.13 


5.10 


3.59 


86.26 


22.72 


181.21 


P521 


90.39 


31.34 


14.51 


6.94 


109.87 


39.28 


241.19 



doubling. These two tables also show timings for modified Jacobian coordinates. 
In the case of affine coordinates, we used direct computation of 4P, 8P and 16P. 
In the case of weighted projective coordinates, we used direct computation of 
4P. 

As can be seen from Table 4, in the case of affine coordinates, in which 
direct computation of 2^P with 2 < fc < 4 was used, we achieved a 45 percent 
performance increase in the scalar multiplication of the elliptic curve of size 160- 
bit. In the case of weighted projective coordinates, in which direct computation 
of 2*P with fc = 2 was used, we achieved a 15 percent performance increase in 
the scalar multiplication of the elliptic curve of size 160-bit. 

In the case of modified Jacobian coordinates, we have not yet developed 
formulae for direct computation of several doublings. Our experimental results 
suggest that direct computation provides a performance increase. Therefore, 
once efficient formulae are available, modified Jacobian coordinates may provide 
superior results. 

We have one other observation to make from Table 4. In most implemen- 
tations of curves of size 160-bit, scalar duplications in projective or weighted 
projective coordinates are faster than those in affine coordinates. On the other 
hand, in our implementation with the new method, when log 2 p is relatively 
large (P384 and P521), scalar multiplications in affine coordinates are faster 
than those in weighted projective coordinates. As previously stated, the answer 
to the question “which coordinate system is faster” strongly depends on the ratio 
I /M. In our implementation, I /M decreases with larger log 2 p. This is the main 
reason that scalar multiplication in affine coordinates is faster in cases of P383 
and P521. 

7 Conclusions and Further Work 

In this paper, we have constructed formulae for computing 2^P directly from 
P G P(IFp), without computing the intermediate points 2P, 2^P, ■ ■ ■ ,2^~^P in 
terms of affine and weighted projective coordinates. We showed that our algo- 
rithms are more efficient than fc separate doublings and lead to a running time 
improvement of scalar multiplication. Combining our method with the mixed 





72 



Y. Sakai and K. Sakurai 



Table 3. Timings of a point addition and direct donbling in msec. (Pentinm II 400MHz) 



Curves 


1 Affine 


1 Weighted Projective 


iModified Jacobianl 


Add. 


2P 


4P 


8P 


16P 


Add. 


2P 


4P 


Add. 


2P 


P160 


0.140 


0.141 


0.194 


0.243 


0.291 


0.0582 


0.0373 


0.0729 


0.0714 


0.0355 


P192 


0.151 


0.156 


0.229 


0.284 


0.337 


0.0827 


0.0538 


0.105 


0.103 


0.0502 


P224 


0.158 


0.167 


0.256 


0.325 


0.390 


0.0963 


0.0630 


0.127 


0.125 


0.0563 


P256 


0.172 


0.175 


0.279 


0.345 


0.415 


0.110 


0.0713 


0.139 


0.142 


0.0623 


P384 


0.219 


0.229 


0.392 


0.497 


0.616 


0.198 


0.123 


0.238 


0.244 


0.108 


P521 


0.358 


0.378 


0.695 


0.892 


1.179 


0.347 


0.214 


0.407 


0.423 


0.180 



Table 4. Timings of a scalar multiplication of a random point in msec. (Pentium II 
400MHz) 



Curves 


Afhne | 


1 Weighted Projective | 


Modified Jacobian 


Traditional 


Proposed 


Traditional 


Proposed 


Traditional 


P160 


26.8 


18.4 


9.1 


7.9 


8.2 


P192 


35.2 


22.5 


15.5 


13.1 


13.2 


P224 


42.1 


27.8 


20.6 


18.2 


18.3 


P256 


50.9 


34.5 


25.7 


22.3 


22.8 


P384 


98.3 


65.7 


68.2 


58.5 


59.0 


P521 


215 


148 


163 


139 


140 



coordinate strategy proposed in [CM098] may increase elliptic scalar multipli- 
cation performance. 
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A Curves 



In this appendix, the curves that we have implemented are given. P192, P224, P256, 
P384 and P512 are given in [NIST] as recommended curves. 

P160 

p = 736459809436275298942988210292996840747673059329 
a = 1 

b = 148564875525137510302727914159578416202993714965 
tlE(IFp) = 736459809436275298942987873098523465705697104451 
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Abstract. This paper examines the impact of the primary symmetric 
key cryptographic operation on network data streams, encryption of user 
data, have on the overall traffic throughput. The encryption function 
which provides the basic confidentiality security service is studied from 
two cryptographic design perspectives based on the ability of a network 
cipher unit to dynamically re-parameterize itself while processing a high 
speed data stream. The designs studied in this paper were chosen based 
on their suitability for high speed network operation and their flexibi- 
lity in satisfying dynamic security requirements. We develop analytical 
techniques to model the performance of each scheme. 

Keywords. Network security. High performance, ATM networks. Per- 
formance modelling 



1 Introduction 

In secure communication networks with an end-to-end security association, the 
basic security service of data confidentiality is provided by a symmetric key 
cipher. The two basic classes of symmetric key ciphers are the stream cipher and 
block cipher. Stream ciphers encrypt individual characters in a unit of plaintext 
one character at a time. For network communication, this generally means bit- 
by-bit encryption. In contrast, block ciphers such as DES [11] encrypt a fixed 
size group of characters at a time. Stream ciphers are useful in a communication 
network that does not buffer protocol transfer units but process a continuous 
bit stream. However, this is not the case with modern network designs which 
utilize a fixed length protocol transfer unit commonly referred to as a packet or 
a cell and variable length transfer units termed segments consisting of a number 
of fixed size packets or cells. Therefore, in network security, our discussion is 
limited to encryption function provided by symmetric key block ciphers. Apart 
from its suitability for use in providing data confidentiality packet oriented data 
networks, the cryptographic function of block encryption is a central element 
in providing several other network security services such as data integrity and 
message authentication. A single block encryption algorithm can be used in the 
construction of both the encryption function and the message authentication 
code (MAG) function [12] to provide data confidentiality and data authentication 
respectively as shown in figure 1. A MAG value simultaneously provides both 
data integrity and data origin authentication. 



E. Dawson, A. Clark, and C. Boyd (Eds.): ACISP 2000, LNCS 1841, pp. 74-88, 2000. 
© Springer- Verlag Berlin Heidelberg 2000 
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Fig. 1. A function block schematic for generating an encrypted payload with a MAC 
authenticator value 



In the next section, we discuss specific network quality of service (QOS) 
parameters of interest for analyzing performance of secure communication chan- 
nels. Thereafter, section 3 presents key-agile encryption technique and section 
4 presents algorithm-agile encryption technique. The main reasons for selecting 
these two encryption techniques are given in section 3.1 and section 4.1, respec- 
tively. Apart from the efficiency and flexibility of operation provided by these two 
schemes in providing basic security services at the network layer of high speed 
communication networks, they have been used in several research projects [20, 
22] to build secure ATM test networks. This is significant for secure high speed 
network design as ATM is the preferred network technology for multi-service 
broadband networks (B-ISDN) [13]. The analytical model and numerical exam- 
ple for key-agility (in sections 3.4 and 3.5) and algorithmic-agility (in sections 
4.2 and 4.3) provide a basis and justification for use of these techniques in high 
speed network implementation. The paper concludes with remarks on the effect 
of several other QOS parameters on secure network performance. 



2 Secure Communication and QOS Parameters 

In the design of high performance network security systems, a detailed analysis 
of capacity requirements and deliverable throughput is essential. For end-to-end 
network performance modelling analysis, capacity is represented by the product 
of number of simultaneously active secure channels and the average channel 
bandwidth which determine the quantity of traffic that the network can sustain. 
Similarly, throughput is represented by bounds on the number of allowable active 
channels and allowable transmission losses which determines the amount of traf- 
fic successfully transmitted [10]. Inadequate or incomplete analysis of available 
and required system capabilities could easily lead to vastly under-performing sy- 
stems. For example, over-estimation of required processing capacity of a security 
module could result in a conservative design approach that implements only mo- 
dest and potentially inadequate security capabilities. Similarly, under-estimation 
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of required processing capacity could result in secure systems that fail to pro- 
vide expected performance guarantees. This is a particularly important issue 
in multi-service high speed networks that have been designed to negotiate and 
then provide a guaranteed QOS for network users. In this respect, we use ATM 
networks as the basis for discussing the relationship between network QOS and 
cryptographic performance in secure high speed networks. The ideas presented 
and results derived in this paper are applicable to other types of networks with 
QOS support such as TCP/IP networks operating under resource reservation 
protocol (RSVP) [24]. As the main focus of the study presented in this paper is 
the impact of symmetric key cryptographic techniques on secure real-time data 
transmission, the QOS parameters we consider relate to data transfer and not to 
call control for the connection-oriented ATM networks. The QOS parameters of 
concern are bit error ratio (BER), cell loss ratio (CLR) and cell insertion ratio 
(CIR). 

BER is defined as the ratio between number of bit errors that occur in a 
transmission system and the total number of bits transmitted and is mainly 
dependent on the transmission system being used including its physical charac- 
teristics (such as for copper, fiber optic, etc.) and the operational environment 
(such as electro-magnetic interference). The use of optical fiber technology in 
high speed networking has greatly reduced the expected value of BER. If the bit 
error occurrence in a link is a random process (as the case in modern high speed 
optical links), then the probability of an error free transmission of an ATM cell 
is (1 — BER)^®^. Here, only the cell payload of 48 bytes (384 bits) is considered 
for bit error detection as an unrecoverable bit error in the cell header portion 
will result in the cell not being allocated to any particular stream. 

CLR is defined as the ratio between number of cells lost in transmission and 
the total cells transmitted over a period of time. The main reasons for specifying 
a CLR for ATM network connections are the cell discard due to buffer overflow 
and unrecoverable bit errors in cell headers. For our analysis, both BER and 
CLR can be considered as a single factor affecting performance as cells with bit 
errors in encrypted payloads also need to be discarded on integrity check failure 
at the same layer on which decryption is done. 

The cell insertion occurs due to bit errors in the header causing mis-routing 
of cells onto wrong channels when the error in header address field matches with 
a correct switching label at a ATM node. CIR is defined as the ratio between 
number of cells misrouted to a destination and the total number of cells delivered 
to that destination address. CIR also causes loss of cryptographic synchroniza- 
tion and discarding of several cells. Thus, in the rest of the paper, our reference 
to CLR actually refers to compound effect of cell losses due to BER, CLR and 
CIR under encrypted cell transmission. 

For secure cell transmission, we may consider a cell with even a single bit error 
as a lost cell as a single bit error in an encrypted payload can expand randomly 
on decryption of the cell causing bit error expansion within a cell. This intra-cell 
error expansion will make any use of error correction codes largely ineffective. 
Depending on the mode of encryption [12] used and the construction of the 




High Performance Agile Crypto Modules 



77 



encryption unit, bit errors may propagate to adjacent cells also. For example, 
if the cipher block chaining (CBC) or cipher feedback (CFB) mode is used, 
then a bit error within one encrypted cell payload will spread through rest of 
the cell stream on decryption. While the output feedback (OFB) mode does 
not cause bit errors in the cipher payload to spread, this mode requires periodic 
synchronizing of the encryptor and decryptor unit (say, by using a special marker 
cell) to recover from possible cell losses. Both the CBC and CFB modes are self 
synchronizing with cell loss propagation limited to only one additional block. 
The other common mode of operation, electronic codebook (ECB) has only 
intra-block bit error propagation and the cell stream is self synchronizing on cell 
losses with no loss effect propagation. However, ECB is not recommended for use 
in many applications as it is vulnerable to both substitution or reordering attacks 
and cryptanalytic attacks due to repeating plain text blocks producing identical 
cipher text blocks. For data networks, any unrecoverable errors in transmission 
of a protocol unit at a given layer (for example, a packet at network layer) 
detected at a receiver usually invokes an error recovery procedure at the same 
layer or at a layer above. As the standard error recovery mechanisms is to request 
retransmission of the entire protocol unit of transfer, the benefits of limited error 
propagation or self synchronization of an encryption algorithm is of limited value 
in network applications. 

In summary, the major effect of a cell that was lost or was in error is the 
loss of cryptographic synchronization for adjacent cells in a stream of encrypted 
cells for widely used encryption modes resulting in more than one cell being lost 
and potentially a larger block of cells mapping to an upper level protocol data 
unit (PDU) being discarded. 

3 Key- Agile Encryption 

3.1 Encryption at Physical Layer 

One of the simplest method to secure communication between two network end- 
points is to agree on a cryptographic context including a symmetric key for 
traffic encryption using off-line mechanisms. This allows host-level security ma- 
nagement at end-points. Thereafter, confidentiality and integrity services for the 
user data part of a traffic stream can be delivered through encryption and data 
integrity functions at the highest possible speed at the physical or link layer as no 
further on-line security related negotiations take place. The main disadvantage 
of this approach is that it is not possible to secure the network traffic at a finer 
granularity such as per-user or per-application. Also, the static pre-configuration 
of cryptographic keys and consequent long-term key usage allows an attacker to 
capture a large amount of ciphertext messages encrypted with the same key 
(especially in a high speed network) which could facilitate an off-line cryptana- 
lytic attack. Furthermore, as inter-networking units such as switches and routers 
need to process header information contained in a protocol transfer unit, the full 
traffic stream cannot be encrypted. If the header information also need to be 
protected, for example, to prevent traffic analysis, then the traffic streams need 
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to be secured on hop-by-hop basis with decryption at input and re-encryption 
at output in each inter-networking unit using the symmetric key shared between 
each unit. In addition to the disadvantages mentioned earlier, this makes the 
switching and routing nodes in a network highly vulnerable to attacks. Also, 
the amount of cryptographic processing required at each inter-networking unit 
would be excessively high resulting in lower network throughput performance. 
The type of network security provided by such a scheme would be public network- 
to-network rather than private user-to-user as the management of cryptographic 
keys in the network infrastructure would be outside end-user control. Therefore, 
even with the potential for fast implementation through hardware and transpa- 
rency of operation, this type of physical layer or link layer schemes for securing 
traffic is not suitable for modern high speed networks. 

With respect to ATM networks, the physical layer or link layer type se- 
cure communication would be the use of a single cryptographic context and an 
associated symmetric key to encrypt the cell stream through a physical link 
connecting two adjacent ATM switches or through all the VCs between two 
ATM connection end-points. As this solution essentially creates a secure virtual 
tunnel that operates at the physical layer allowing fast encryption of cell streams 
between the end-points, designers of secure networks does not have to consider 
the behaviour of actual traffic sources (such as continuous or bursty traffic) or 
protocol semantics of the cell stream (such as native ATM traffic that have cell 
continuity or IP over ATM type traffic that contain cell blocks). Again, as the 
scheme requires static keying of physical links, this approach is not suitable for 
use by ATM end-points that connect through public ATM infrastructure for wide 
area connectivity. Also, even in the case of a private ATM LAN, this scheme does 
not have the capability to distinguish between traffic streams requiring security 
services and those that have no security requirements. Therefore, the potential 
for computational and transmission resource wastage is quite high. Due to these 
drawbacks, it is necessary to consider a more flexible and secure scheme to pro- 
tect ATM cell stream at the next level of granularity, that is, for the individual 
VC. 

3.2 Encryption at a Virtual Layer 

Protection of data communication at a virtual layer as opposed to the physical 
layer, involves identification of end-to-end flow of protocol transfer units and 
applying cryptographic operations to these flows separately using individually 
specified security contexts. In network protocol models that provide an end- 
to-end transport connection layer, this mode of operation can be implemented 
with flow identification by the connection label embedded in data packets (for 
example, TCP source and destination port address gives a flow identifier at 
transport layer). If the network protocol model only provides a datagram style 
hop-by-hop virtual layer, the packet flow differentiation has to be done using a 
combination of header information (for example, the IPv6 source and destination 
addresses, identiflcation, protocol and options flelds together deflnes a unique 
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flow label. In IPv6, the flow label header held combined with the two IP addresses 
provide the flow identifier). 

For ATM networks, the term key-agile cell encryption refers to the scheme 
by which the traffic through each individual VC is secured using a unique short- 
term symmetric key [20] . Among the many advantages of this approach are the 
ability to dynamically negotiate a shared key for each VC at its connection setup 
time, ability to determine symmetric key characteristics such as the key length 
based on end-point security requirements and frequency of dynamic key updates 
for long-lived VCs. However, to achieve key agility, several changes are required 
for the basic cell relay function at the ATM layer. The two main changes required 
are: 

1 . Table look-up of the associated symmetric key at each end-point on a per-cell 
basis. 

2. Execution of cryptographic operations including integrity checksum calcula- 
tion and encryption (resp. checksum verification and decryption) on the cell 
payload. 

As the cryptographic operations are performed only on the cell payload and 
header is sent in clear text, this cryptographic table look-up is required only 
at end-point ATM nodes. The standard ATM layer functions such as cell relay, 
header recalculation and queue management at intermediate switching nodes are 
not affected by this type of secure cell transmission. 

3.3 Dynamic Key Look-Up 

Each active VC in an ATM network is uniquely identified by a 24-bit combined 
virtual path identifier (VPI) and virtual channel identifier (VCI) address at 
the user network interface (UNI). As the particular symmetric key to be used 
for securing a cell payload is determined by this VPI/ VCI pair, cryptographic 
operations can be done only after a payload had its header prefixed. Also, the 
ATM layer performs cell-level address-based statistical multiplexing using the 
VCI in each cell. Therefore, in theory, key-agile cell encryption or decryption 
may require a table look-up for each cell received at an incoming or outgoing 
port. As the symmetric keys are much longer than ATM address fields (minimum 
of 64-bit and up to 256-bit long keys), the usual technique is to use a dual table 
solution in which a larger table indexed by VPI/VCI values contain pointers to 
a smaller cryptographic key table [20] . 

This symmetric key retrieval from a potentially very large table can there- 
fore become a performance bottleneck in a high speed key-agile cell encryption 
scheme. There are several techniques to limit the negative impact on the perfor- 
mance: 

1. Caching of recently or frequently used symmetric keys. This standard perfor- 
mance enhancement technique can be used by directing the dual table key 
access operation through a small cache of (VPI/VCI, symmetric key) tuples 
stored in high speed memory. 
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2. Restricted range of VCIs for secure connections. In the ATM standard, there 
are several blocks of VPI/VCI combinations that are reserved for specialized 
use. Among these are the address labels used for unassigned cells processed 
by the transport layer, cells introduced by the physical layer, idle cells for cell 
boundary resynchronization and 0AM cells. Similarly, a range of VPI/VCI 
values could be defined for use in secure VC establishment by end-points. 
This approach will essentially limit the size of symmetric key table for fast 
access. 

3. Look-up table implementation in content addressable memory (CAM). A 
look-up table constructed using CAM allows parallel search of its index 
entries, thus speeding up the content retrieval. 

Although above techniques to reduce the performance penalty in cryptogra- 
phic table look-up appear to be costly to implement (for cache and CAM) and 
arbitrarily restrictive (for limited VCI range), in actual high speed networks the 
table size for active VCs may be much smaller than the theoretical maximum 
possible due to other factors such as limited buffer space at multiplexors and 
allowed cell loss ratio (CLR). Therefore, before designing a costly or restrictive 
symmetric key table look-up scheme, it is important analyze the network ope- 
ration to determine the actual performance requirements. Results of such an 
analysis could direct secure system designers to more affordable and realistic 
solutions. 

3.4 An Analytical Model of the Key Agile Network Port 

Consider N VCs multiplexed at an outgoing port with V„, where n = 1, ... ,N, 
as the transmission rate at time t for a VC labelled with number n. We assume 
the rates of the N circuits to be independent and identically distributed random 
variables. Now, we would like to determine the rate r such that the multiplexed 
link can carry the aggregate traffic of N VCs bounded by the allowable CLR. 
Alternatively, we could determine the number of traffic sources N for a given 
average transmission rate of r. 



P{Vi + ... + Vn> rN} < CLR (1) 

To model fairly generic network traffic conditions, we further assume the 
input sources of the VCs to be homogeneous on-off sources with P{on) = p, 
peak rate a and the number of VC input sources in on state to have a binomial 
distribution. Then the probability that the aggregate transmission rate of active 
VCs exceeds the output rate of the outgoing link can be represented as 

N 

P{Vi + ... + Vv >riV}= ^ p)p"(l_p)^-" (2) 

n>^ 

Using the Bahadur-Rao theorem [3,23] we can determine an approximation 
for the above equation 2 as follows that would allow us to compute a value for 
N. 
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P{Vi + ... + Vn>tN}^ ^ ^ ^ X (3) 

where 

Or =i log 
/(r) = ^log 



3.5 A Numerical Example 

To illustrate the operation of a high speed network under the above modelling 
assumptions, consider a port with VCs having a peak rate a = 10 Mbps (say, 
switched LAN interfaces) and rate r = 5.33 Mbps. Under these conditions, for 
A = 1/3 and ^ = 1/2 gives P{on) = p = 0.40 at a mean rate p x a = 4 Mbps. 
Now, the parametric values of equation 3 can be computed as Or = 0.05377, I{r) 
= 0.03597 and cr^ = 24.89. If the CLR is assumed to be 10“® (for fiber optic 
links), the probability P{Ui + . . . + Vat > rN} holds for N > 500. 



a(l-p) 

(o-r) 



and 



r(l-p) ) 

p(a-r) 1 ’ 




N - number of active VCs 



Fig. 2. A numerical example showing the limiting effect of CLR on the number of 
active VCs multiplexed onto a single ATM link 



The results of the above numerical example show, that for an ATM outgoing 
port with an aggregate capacity of A x r = 2665 Mbps (approximately an OC-48 
link), the requirement is to maintain a cryptographic table with a maximum of 
500 entries only as the number of active VCs are bounded by the CLR (see graph 
in figure 2). Also, more importantly, the port will have to look-up keys only 500 
times every second or once every 2 millisecond given the common input source 
behaviour as on-off models. It is interesting to compare these performance values 
computed above with a simple derivation of key switching for an OC-48 link. 





82 



C.G. Gamage, J. Leiwo, and Y. Zheng 



In this case, if we assume cell-by-cell key switching, a table look-up is required 
every (424 bits / 2488 Mbps) = 170 nanoseconds. 

Above example clearly shows the unnecessarily high performance bounds a 
designer would obtain from a strictly theoretical derivation (a key look-up every 
170 ns) against a more realistic value obtained by stochastic modelling (a key 
look-up every 2 ms). In real-time operation, the performance of the crypto unit 
is not limited by the average processing but by the peak instantaneous loads. As 
we have incorporated this behaviour into the analytical model through the peak 
rate a, we can conclude that key-agile cell encryption is a practical technique for 
implementing flexible security schemes for high speed networks. 

4 Algorithm- Agile Encryption 

4.1 Need for Algorithmic Context Negotiation 

A high speed network that has only limited operational requirements and po- 
licies with regard to securing its data transmissions can standardize on a pre- 
agreed set of cryptographic parameters including algorithms for encryption and 
modes of operations, algorithms for digital signatures, key lengths, key update 
and access control policies and other cryptographic variables. Thereafter, the 
network can provide a secure per-connection end-to-end data transmission me- 
chanism such as the key-agile cell encryption previously described in section 3 
when only the session key is dynamically selected or updated. However, for a 
multi-service network spanning many operating and regulatory environments, a 
cell encryption mechanism based on a single algorithmic context (or few algo- 
rithmic contexts that are pre-configured for specific static connections) is clearly 
inadequate. When end-systems located in different operational and regulatory 
environments setup a secure connection, it is necessary to dynamically negotiate 
a cryptographic context including different algorithms acceptable to both end- 
users. For ATM networks, the industry standard security specification document 
[2] proposed by the ATM forum includes security signalling at connection setup 
time to carry out this task and provide adaptive secure data transmission. This 
need for dynamic cryptographic context selection is applicable to other network 
protocols that provide an end-to-end connection at a virtual layer such as the 
transport layer of TCP/IP protocol stack. 

As a concrete example of the need for algorithmic agility, consider the export 
control regulation for cryptographic products enforced by many countries. While 
many countries allow strong cryptographic security (such as symmetric keys of 
128 bit length or longer) within the national boundaries, strength of external 
secure communication is arbitrarily limited (such as short 40 bit keys). Use of 
different key lengths for the same algorithm itself constitutes algorithmic agility 
since the crypto units need to be reconfigured at real-time with new values 
associated with the key schedule. The situation becomes even more complex 
when multiple keys (such as in triple DES) are used to circumvent key length 
restrictions. Therefore, cell-level encryption devices in high speed trans-national 
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networks need to be designed with an array of crypto units that can operate in 
parallel to process multiple data streams simultaneously. 

The term algorithm-agile cell encryption refers to the scheme by which traffic 
through different VCs may be processed according to a dynamically negotiated 
cryptographic context. The most commonly cited approach in literature is to 
implement a cryptographic module with multiple parallel processing units that 
are dynamically loaded with associated algorithmic context for the cell being 
processed currently in each unit [22,21]. 

However, in this paper, we consider using crypto units that are pre-configured 
for different algorithms and associated crypto variables. This method allows ea- 
sier combination of key agility and algorithmic agility within a single security 
module. In the security module, one multiplexor unit can differentiate cells ac- 
cording to their algorithmic-context and feed to appropriate crypto unit while 
within that unit per-cell key and other related crypto variable look-up can be 
done. 

The objective of the modelling and analysis done in the remainder of this 
section is to show the practicality of algorithm-agile cell processing using above 
described type of crypto units for normal high speed network operations under 
typical traffic loads and for reasonable number of algorithmic-context options. 
For this purpose, first we develop a system model based on the operational 
properties of an algorithm- agile crypto module. While the concept of algorithmic 
agility is applicable to any type of protocol scheme allowing end-to-end network 
connections in which users want dynamically specify a security context, the 
analytical model is developed for ATM, which is the most common type of high 
speed network implementation technology. Thereafter, a numerical example is 
used to evaluate the practical utility of the scheme under high speed network 
operational parameters. 



4.2 An Analytical Model of the Algorithmic Agile Network Port 

Consider an algorithm- agile crypto module as shown in figure 3, that has m 
number of crypto processor units, each capable of processing cells that have 
been cryptographically secured according to a specific algorithmic context. Lets 
assume that each processor unit Pi is capable of processing pi cells per time 
unit and that the combined crypto module receives n cells per time unit over 
its multiplexed input. We further assume the distribution of algorithmic context 
among arriving cells to be a Poisson distribution owing to its memoryless pro- 
perty. Therefore, if the algorithmic contexts are numbered as 0, . . . , m — 1 then 
the probability function 



p{x) 



if cc G {0, . . . ,TO - 1} 
0 otherwise 



(4) 



gives the distribution of algorithmic contexts among the cells that have ar- 
rived during a sample time unit. Here, A is the mean value that determines the 
shape of the algorithmic context distribution. 
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0 




crypto utiits 



Fig. 3. Model of algorithmic agile cell processing 



If we assume that each crypto unit Pi takes Ti time units to process a cell 
(that is, Pi X Ti = 1), then the amount of time Ti spent by each crypto unit in 
processing cell payloads is 

Ti = n p{i) Ti for z = 0, . . . , m — 1 (5) 

As the above model of cell processing consider a time window of single unit, 
for optimum performance by the crypto processing units without causing cell 
discard or excessive buffering, following inequality should hold 

Ti = n , — Ti < 1 for z = 0, . . . , TO — 1 (6) 

z! 

4.3 A Numerical Example 

To illustrate the operation of an algorithmic agile crypto module based on the 
above model, lets consider a 16 processor system with an OC-48 link capacity 
that input approximately 5.87 million cells per second (2488Mbps / 424bits) 
with an average cell processing time of 160ns. The graphs in figure 4 show the 
processor utilization profiles corresponding to different cryptographically secu- 
red cell traffic profiles as determined by various A values. The numerical values 
chosen for the analysis conform to the optimality bounds given by equation 6. 

The average value of 160ns to process the secured payload of a cell requires a 
sustained throughput of 2400Mbps (384bits / 160ns), which may seem difficult 
to achieve given current state of the art in VLSI based cryptographic processor 
cores. However, the throughput requirement can be easily reduced without an 
adverse effect on the overall system performance. Consider the crypto unit uti- 
lization graph for A = 2 in figure 4 which represent a typical crypto traffic profile 
scenario with only 2 or 3 heavily used algorithmic contexts and the remaining 
modules used less frequently. For this particular case, the average value of r 
can be increased from 160ns to 640ns while still remaining within the bounds 
set in equation 6. This will result in a required throughput of 600Mbps which 
is within the range of hardware implementations of widely used symmetric key 
cryptosystems such as DES [8]. 
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Fig. 4. The utilization of individual units in an algorithm-agile crypto module for 
different cell traffic profiles 



The sample values used in the numerical example shown above are based 
on commercial VLSI crypto core units such as [1, at 640 Mbps] and [5, at 528 
Mbps] that support the DES algorithm [11]. The table 1 gives a summary of 
the projected throughput requirement in terms of bit encryptions per unit time 
for different algorithm-context loadings. As newer encryption algorithms such 
as SPEED [25], Twofish [16] and Rijndael [9] that are are much faster than the 
DES algorithm comes into wider use, achieving the throughput requirements 
for high speed cell encryption with these new generation algorithms including 
the next generation Advanced Encryption Standard (AES [4,17]) is likely to be 
much more practical. 



Table 1. Average throughput requirement for crypto units under different traffic pro- 
Hles (m = 15 and n = 2488Mbps are the parameters in equation 6) 



A 


T (ns) 


Active units 


Throughput (Mbps) 


0.5 


530 


1 


725 


2 


640 


2/3 


600 


4 


800 


4/5 


480 


6 


1060 


6 


365 



In our model, we have not explicitly considered the possibility of more than 
one crypto unit supporting the same algorithmic context. In this instance, a 
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separate scheduler will have to be used to admit cells to individual units in the 
crypto processor group with the common algorithmic context. This will have 
no meaningful impact on our analysis which attempt to determine if an overall 
crypto module consisting of several separate units can process a multiplexed cell 
stream within performance bounds set by a high speed network environment. 



5 Summary 

The idea of key-agile encryption and details of a proof-of-concept implementation 
work done by Stevenson et al. [20] have appeared in literature preceding the work 
described in this paper. Also, design details of a cryptographic device called a 
CryptoNode incorporating similar ideas have been presented by Chuang in [6,7]. 
Independent of the work described in this paper, the concept of algorithm- agile 
encryption and related work has been presented by Sholander et al. [18], Tarman 
et al. [22,21] and Pierson et al. [14]. The use of a single key block in algorithmic 
agile systems, proposed by Smart [19], to assist in the rapid real-time algorithm 
selection can be combined with algorithm-agile crypto units to further improve 
performance. 

To obtain operating parameters for the design of high performance security 
modules (specifically, high speed cell encryptors), designers can utilize any com- 
bination of analytical models, simulations and test implementations. Although 
both simulations and test-beds can benefit from results obtained through analy- 
tical models, there is a clear lack of work in this area. As real performance of high 
speed networks continue to increase and wide area networks grow in complexity, 
both simulation and test implementation will be more difficult. Therefore, analy- 
tical mechanisms such as ours that examines the performance of secure systems 
will be much valued tool for system designers. 

Two other important data transfer QOS parameters are the end-to-end trans- 
fer delay (CTD) and the cell delay variation (CDV) or jitter. The analysis in this 
paper considered crypto modules to be delay units of fixed time duration that 
increase end-to-end transfer delay by a pre-calculatable value and thus cause no 
change in original negotiated CDV. However, as different crypto units within 
the security processing module are most likely to have different latencies due to 
differences in algorithms and key lengths, it will cause CDV in the multiplexed 
cell stream. Therefore, above modelling assumptions will be true only if delay 
equalization is done at the processing module at the cost of increased CTD. 
Otherwise, original QOS negotiation at connection setup time needs to consider 
the added CDV due to security related processing. To develop analytical mo- 
dels that can accurately represent the real-time behaviour of high performance 
secure networks, above security related delay analysis must be complemented 
with other factors such as connection admission control policies, job scheduling 
at security modules (processors) and management of shared resources such as 
buffers. 

As the agile crypto units are designed for block-mode operation in uniquely 
identified end-to-end data flows, they can be positioned at several of the layers 
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Fig. 5. The positioning of interfaces to the agile crypto units in a network protocol 
stack 



in a network protocol architecture that have a defined protocol unit. However, 
as shown in figure 5, agile crypto units should be located nearer to the portion of 
a network protocol stack that is implemented in hardware to achieve the highest 
possible performance. 
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Abstract. From 1st January 2000, Internet Service Providers in Aus- 
tralia have been required to filter web traffic content. The Australian 
Broadcasting Authority (ABA) publishes a list of banned web sites and 
ISPs must enforce this ban. Enforcing Internet content regulation is a 
security issue: ISPs need to be able to verify the authenticity of a dis- 
tributed banned list, enforcement will most likely be performed by a 
security component, and enforcement must be integrated with other se- 
curity functions. This paper examines these issues, and more specifically 
reviews the modifications required to the TIS http-gw proxy to support 
Internet content regulation. 



1 Introduction 

On the 26th May, 1999, the Broadcasting Services Amendment ( Online Servi- 
ces) Bill, that amends the Broadcasting Services Act of 1992 was passed by 
the Australian Senate [4]. The ABA was commissioned to investigate the issue 
of regulating the Internet. This Bill was the result of work undertaken by the 
Australian Broadcasting Authority (ABA) since July 1995. 

Under the Bill, the ABA becomes the first point of contact for people wishing 
to make a complaint about online content which they feel is offensive. The ABA’s 
complaints handling role commenced on the 1st January 2000, and the ABA has 
the authority to judge whether material is suitable or should be prohibited (see 
Appendix A). Internet Service Providers (ISPs) must have access to a list of 
prohibited sites, and must filter the prohibited sites by 6pm on the next business 
day after the sites have been listed [4]. 

There are many interesting moral and practical issues associated with Inter- 
net censorship. However we leave these for others to consider, and in this paper 
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we concentrate on the implementation issues for an ISP to control content. Con- 
trolling content is a security issue: the ISP will need to be sure that it can 
accurately obtain the ABA’s current prohibited list, and the control of content 
will need to be performed in a secure fashion, most likely by the modification of 
an existing security component. 

This paper examines both topics. Section 2 examines the issues relating to 
obtaining a list from the ABA that can be checked for authenticity. This can 
be achieved by various reasonable methods available to date. Section 3 will ex- 
amine the placement and implementation of the filtering required by the ISP. 
The ISP’s firewall Hypertext Transfer Protocol (HTTP) proxy seems the most 
sensible position for this filtering and the paper examines modification to the 
Trusted Information Systems (TIS) [3] http-gw proxy to support this filtering. 
Furthermore, we present a more efficient configuration of using the TIS http-gw 
proxy combined with Squid cache proxy [6] in Section 4. The paper finishes with 
our conclusions (Section 5). 



2 Authenticity of the Prohibited Site List 



The ABA will have the responsibility of maintaining a prohibited site list. This 
list should contain the Uniform Resource Locators (URLs) and/or IP addresses 
of sites deemed to be prohibited. Table 1 gives an example of such a list. 



Table 1. An example of prohibited site list. 



198.161.4.33 

http: / /www.xrated.com 

http: / /www.xxx.net 

http: / /www.xtreme.org 

ftp://zigzag.com.au 

http: / /www. nuclearbomb.org 

http: / /www. darkeyes.com 

121.40.5.83 

192.3.131.6 

http: / /www.xtra-xray.com 
http: / /www. homemadegun.net 



ISPs have the responsibility of downloading the prohibited site list at regular 
intervals and using this to filter the client requests that it receives. 

One issue that the ABA must address here is ensuring the authenticity of the 
list. That is, the ISP must be sure that the list it has downloaded from the ABA 
has not had unauthorised modifications either at the ABA or during download 
since the list was created. The ISP must also be sure of the author of the list. 
Confidentiality of the list is not required. 
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For ensuring the authentic prohibited site list to be downloaded, some me- 
thods might be employed, such as using Secure Socket Layer (SSL) [1] connection 
or to have the ABA digitally sign it using a suitable public key algorithm (for 
example, RSA, DSS or an elliptic curve scheme) to download. The ABA might 
use PGP [5] to digitally sign the list and let the ISPs use ftp to download such 
list. 

If such methods for obtaining the prohibited site list are not preferred, there 
is another way to obtain the list, the ABA periodically sends a digitally signed 
list by email to ISPs. This will allow both the author of the list to be verified 
and also the integrity of the list to be checked. The signature verification code 
will need to be built into software at the ISP. Of course special attention must 
be paid to ensuring the authenticity of the regulatory body’s public key (in the 
absence of a suitable public key infrastructure (PKI) ) . 

3 Filtering of Prohibited Sites 

This section discusses the placement and implementation issues associated with 
filtering prohibited sites. 



3.1 Positioning of the Filter 

The ISPs may employ an HTTP proxy filter (for example, the TIS http-gw 
proxy) or an HTTP proxy cache (for example, the Squid cache proxy) or even a 
combination of the two to filter and to cache client HTTP requests. The combi- 
nation may allow ISPs to control, monitor and cache such requests. 

If an HTTP proxy filter is employed alone, a typical configuration is shown 
in Figure 1. Client browsers are configured to use the proxy, and all requests 
are made to the proxy, which in turn makes requests to the actual Internet web 
server, and replies are fed back through the proxy to the browser. 




Internet 



Internet Service Provider 



User 



Fig. 1. HTTP proxy filter for Web Requests 
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Traditionally, the reason for using proxies has been to reduce the bandwidth 
requirements and to improve performance. Caching proxies are commonly used 
to try to minimise network traffic by storing copies of recently downloaded HTTP 
content so that subsequent requests for the same content do not result in the web 
server responding with the same content repeatedly. While some caching proxies 
have filtering built in, it is usually acknowledged that the cache is not designed 
to filter traffic efficiently. It is suggested that the most suitable arrangement is 
to have a light-weight (i.e., efficient) filtering proxy placed between the client 
browser and the caching proxy. This prevents requests destined for banned sites 
from reaching the caching proxy. The possible arrangement of employing both 
HTTP proxy filter and HTTP proxy cache is shown in Figure 2. 




Internet 



Internet Service Provider 



User 



Fig. 2. An HTTP proxy cache is employed in the firewall HTTP proxy 



HTTP proxies are commonly supplied as part of the ISP’s firewall system. 
Virtually every known application-level firewall provides an HTTP proxy. As it is 
anticipated that the firewall will store hundreds or even thousands of prohibited 
sites, to implement the prohibited site list filtering ISPs may need to modify, or 
have their suppliers modify, their firewall’s HTTP proxy. 



3.2 Three-Party HTTP Proxy 

Standard HTTP proxies are two-party. That is, they communicate with the 
browser (the first party) and the web server (the second party). To implement 
Internet content regulation the HTTP proxy will need to be extended to include 
a third party: the proxy will need to be modified to communicate with the ABA 
site to download the prohibited site list. Figure 3 below describes how the proxy 
system must have the capability of contacting and downloading such list at a 
specific site (say, the ABA site) and in a specific period (say, every 6 pm) on a 
daily basis. 

Apart from ensuring that the list has been properly authenticated at the 
time it is downloaded, it is vital that the integrity of the list be maintained at 
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Internet Service Provider User 



Fig. 3. A Three-Party HTTP Proxy is employed contacting ABA’s site periodically 



all stages throughout its life. One possible tool for achieving this is a file system 
integrity checker such as Tripwire [2]. 

4 Modification to the TIS Firewall Toolkit HTTP Proxy 

A major issue to address in developing a proxy for filtering HTTP traffic based 
on a destination URL is the performance of the proxy. If the size of the prohibited 
site list is large then a filtering proxy may introduce a significant delay making 
the elapsed time of an HTTP request and the corresponding response prohibitive. 

In order to investigate the delay introduced by URL filtering we have mo- 
dified the source code of the http-gw proxy which forms part of the Trusted 
Information Systems (TIS) Firewall Toolkit (FWTK). The source code for the 
FWTK is freely available from the Internet [3]. 

The TIS FWTK uses a global configuration file which is usually called 
netperm-table. TIS’s http-gw includes a rudimentary filtering mechanism 
which allows the banning of certain destinations using -dest lthis.site.com 
(for example). This mechanism does not scale well and is in fact limited to only 
a small number of banned sites since they must be listed in a single line which 
is limited to only 1024 characters. 

In this modification, a new separate text file is created. This new file is 
simply located in the same directory as netperm-table. We chose to put the 
banned URL list in a file called ban-table Ideally this file should be read 
less frequently to reduce the overhead associated with processing the list once a 
connection is made. It is proposed that an ISP would download this file once a 
day from the ABA. 



^ Of course the name of this file could be configurable through the netperm-table. 
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The ABA may put such sites in the form of URLs or IP addresses in a 
random manner in a text file, one site in every line. At the ISP’s side, the 
downloaded list is then verified and is put in the ban-table mentioned above 
in the same directory as the netperm-table. This table is then called from this 
netperm-table configuration file when the TIS http-gw is run at first time. In 
this http-gw modification, the proxy reads the downloaded file and put it in a 
binary tree in memory in order to gaining a faster lookup for the requested site. 
The http-gw proxy will be re-run again when there is a new valid prohibited site 
list downloaded. A cron job utility in Unix machine may be used to do this task 
stated in a script file. 

A number of options are available in performing the processing of the prohi- 
bited site list. We have implemented the following configurations and present a 
comparison of each of the techniques from a performance perspective. 

1. A list stored in the netperm-table. 

2. A flat list read sequentially from a file. 

3. A list stored sequentially in memory as a linked list (the file is read only 
once for multiple connections to the proxy). 

4. A list stored in memory as a binary tree (once again, the file is read only 
once at which time the binary tree is constructed). 

The first of these options was discussed briefly above. The http-gw provides 
a mechanism for banning certain destination sites but is limited in the number 
of sites that can be stored as being previously described. The second mechanism 
trialled was to read through the file sequentially looking for a match between the 
URLs stored in the ban-table and the URL in the HTTP request. A natural 
progression from the second choice was to store the list in memory so that file 
access times (typically slow) did not impact so greatly on the search time. In this 
case the (memory-resident) list was searched sequentially. The fourth choice was 
designed to streamline the search of the memory-resident list. This was achieved 
by storing the list in a binary tree. It should be noted that a binary tree is more 
likely to be balanced if the ban-table is ordered randomly. A sorted baui-table 
will produce a binary tree equivalent to a sequential linked list (an undesirable 
situation). We have put, in the experiment, the “target” site at the end of the 
ban-table in order that this site is located as deeply as possible in the binary- 
tree. Hence, if the ABA is likely to providing a sorted prohibited site list, the 
ISPs must then randomise it first to increase the average search performance. 

Table 2 gives a comparison of each of these techniques. It can be seen that the 
speed-up associated with loading the list into memory and processing it there, 
rather than from disk is significant, although not astonishing (roughly twice as 
fast). The most significant improvement is achieved through processing the list 
when it has been stored in a binary tree - the improvement is almost two orders of 
magnitude for a list containing one million entries These results were expected 
and serve to highlight the importance of suitable data structures in situations 
where computational efficiency are vital. All results are in milliseconds (ms). 

^ The entries were created randomly and hence the tree is considered well-balanced. 
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Table 2. Average timing results comparison (milliseconds) 



Number 
(of URLs 


http-gw read file linked list binary tree 

(FWTK) (sequential) (in memory) (in memory) 


1 


9.8 


9.8 


9.6 


9.9 


10 


17.6 


9.9 


10.0 


9.9 


20 


26.4 


10.8 


10.5 


9.9 


30 


32.8 


9.8 


10.1 


9.8 


40 


41.8 


10.4 


10.1 


7.2 


50 


50.0 


10.4 


9.5 


9.9 


57 


55.0 


NA 


NA 


NA 


100 


NA 


10.0 


9.8 


9.9 


1,000 


NA 


11.3 


10.7 


10.5 


10,000 


NA 


26.2 


18.4 


11.3 


100,000 


NA 


310.8 


195.6 


11.6 


500,000 


NA 


1,025.1 


594.3 


13.3 


750,000 


NA 


1,517.7 


800.6 


12.9 


1,000,000 


NA 


1,910.6 


984.5 


13.3 



Besides the elapsed time to search within such list, we must also consider that 
if a caching proxy is used between the Internet and http-gw proxy, the delay will 
only be experienced on the first access to any particular site. A caching proxy is 
therefore always recommended. 

Meanwhile, when the prohibited site list is large it becomes unacceptable to 
read the list into memory more frequently than is necessary. To overcome this it is 
necessary to utilise shared memory so that different (forked) instantiations of the 
proxy application can each access the memory containing the list, concurrently. 
A single memory-resident copy of the list would also facilitate easier update of 
the list. It is noted that shared memory techniques are well established and, 
hence, do not fall within the scope of this work. 



5 Conclusions 

Modification of the public domain code is a straight forward and reasonably 
cheap method for obtaining an HTTP proxy applicable to Internet content re- 
gulation. The modification was successfully done extending from a small amount 
of banned sites to a very large amount of banned sites. The binary-tree method 
employed in the http-gw proxy is very helpful to short the elapsed time scanning 
up to a million sites. 

The two security components in the implementation of Internet content regu- 
lation: verification of the prohibited site list and filtering issue which are involved 
here must be carefully considered. The authenticity of the prohibited site list is 
very important to ensure the Internet content regulation works well and at- 
tempts to reduce the chance of bypassing such filtering must be done, such as 
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using auto-lookup for Domain Name Service to its IP address or vice versa and 
also its aliases must be recognised. 

The modified proxy might need to be investigated further to monitor its 
performance when the proxy serves from tens up to hundreds of clients. An 
auto-lookup facility for DNS name and its related IP address also seems to be 
useful for future work. 
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A When a Site is Put into the Prohibited Site List 

In its implementation, the ABA lists sites which contain material containing 
detail instruction in crime, violence or drug use, child pornography, bestiality, 
excessively violent or sexually violent material, or contain real depiction of actual 
sexual activity. Such contents are classified into ’RC’ or ’X’ by the Classification 
Board. 

Meanwhile, such sites which rated ’R’ is not subject to a restricted access 
system may contain material with excessive and/or strong violence or sexual 
violence, implied or simulated sexual activity, or material containing depictions 
of things which require assistance of an adult. For these sites, the ABA will 
put the sites into the list if there is a complaint from an Australian resident, a 
body corporate in Australia, or the Commonwealth Government or a State or a 
Territory. 
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Abstract. Anderson and Kuhn have proposed the EEPROM modification attack 
to recover the secret key stored in the EEPROM. At ACISP98, Rung and Gray 
proposed an m - permutation protection scheme against the EEPROM 
modification attack. At ACISP'99, Rung and Gray pointed out that in their 
original scheme, a secret key with too small or too large Hamming weight could 
be recovered easily. Then they proposed a revised m - permutation protection 
scheme and claimed that their revised scheme does not leak any information of 
the secret key. In this paper, we break completely both the original and the 
revised m - permutation protection schemes. The original scheme is broken 
with about 21ogj n devices from the same batch and about 
(3 log 2 n + 2)xmxn probes f n is the length of the secret key and m is the 
amount of permutations). The revised m - permutation protection scheme is 
more vulnerable than the original one. It could be broken with only one device 
and about mxnV3 probes. 



1 Introduction 

The design of tamperproof device is an important issue in the applications of 
cryptographic systems. There are basically two types of attacks against the 
tamperproof devices. The direct attack is to reverse engineer the device with advanced 
hardware technology. Another type of attacks is to force the device to produce 
computational errors. Boneh, DeMillo and Lipton have developed such an attack 
against tamperproof device [4]. In their attack random errors are introduced into the 
data on the device. The random errors cause a corresponding erroneous output that 
can be used to deduce the key. This attack is simple but powerful and is able to break 
the devices using RSA. A similar attack was reported independently by Bao, Deng et. 
al. who showed how to attack the RSA, El Gamal and Schnorr Signature schemes [2]. 
Biham and Shamir later introduced the Differential Fault Analysis or DFA [3]. DFA 
can be applied to recover a block cipher key from a sealed tamperproof device. To 
resist these fault-related attacks the device needs to perform fault checking before 
outputting the encrypted (or decrypted, signed) result. 

Anderson and Kuhn introduced the EEPROM modification attack that is quite 
general and practical. In their attack, an attacker is assumed to be able to write 
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arbitrary values to arbitrary locations of the EEPROM, where the secret key is stored, 
but cannot read a value from the EEPROM. This is because the cost of writing a value 
to EEPROM is much lower than that of reading a value from EEPROM, i.e., the 
writing can be done with the low-cost equipment, such as microprobes, while the 
reading requires much more expensive equipment, such as an electro-optical probe. 

To protect the device against the EEPROM modification attack. Rung and Gray 
proposed a cascaded m - permutation scheme that uses an (mxn)-bit encoding for 
an M-bit key [5]. Each batch of devices employs the same permutations (i.e., 
encoding). The permutation wiring is secret and it is assumed that the attacker has no 
equipment to reveal the wiring. Fung and Gray claimed that the attack on the 
m - permutation scheme requires (?(«”) probes to compromise the key. In [6], Fung 
and Gray pointed out that if the Hamming weight of a key is too small or too large, 
the key could be recovered easily. Then they introduced the revised scheme in which 
random numbers are introduced to hide the information about the Hamming weight of 
the secret key. 

In this paper, we show that both the original and the revised schemes are not 
secure. For the original scheme, there exists an attack that could recover the m 
permutations with about 21 og 2 n devices from the same batch and about 
(31ogj n-)-2)XmXn probes. The m - permutation scheme achieves only linear 
growth of complexity with a linear growth of the amount of permutations. 

In the revised scheme, m random numbers are introduced into each device to hide 
the information of the Hamming weight of the secret key. However, these random 
numbers leak the information about the secret permutations. By modifying these 
random numbers, we could recover the mappings between those permutations, i.e., the 
m - permutation scheme could be reduced to one permutation scheme. Thus with 

only one device, we break the revised m - permutation scheme with mXn I2> 
probes. Since only one device is needed in this attack, we consider that the revised 
scheme is more vulnerable than the original scheme. We try to strengthen the revised 
scheme by eliminating the flaw introduced by the random numbers. However, there 
still exist an attack that could recover those m permutations with about mXn devices 
from the same batch and about 3.5(mXny probes. 

A fairly simple and efficient scheme to defeat the EEPROM modification attack is 
proposed in this paper. By restricting the Hamming weight of the key to be half of n , 
only one permutation is needed. 

This paper is organized as follows. The EEPROM modification attack is introduced 
in Section 2. Fung and Gray’s original and revised m - permutation protection 
schemes are introduced in Section 3. We break the original and the revised 
m - permutation scheme in Section 4 and Section 5, respectively. In Section 6, we 
break the strengthened version of the revised scheme. Section 7 gives our simple and 
efficient protection scheme. Section 8 concludes the paper. 
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2 The EEPROM Modification Attack 

In [1], Anderson and Kuhn proposed the EEPROM modification attack. It is a 
physical attack in which two microprohing needles are used to set or clear target bits 
in order to infer them. It is assumed that EEPROM bits cannot be read directly since 
the equipment required is much more expensive than the microprobing needles. In the 
EEPROM modification attack, if one bit of the secret key is set correctly, there would 
be no error in the output of the device; otherwise, error occurs. The secret key can 
thus be determined bit by bit. 

Anderson and Kuhn’s attack in [1] is with respect to a DES key. The more general 
attack described by Fung and Gray [5] is given below: 

for / = 0 to n-1 

set the i"" bit to 1; 
operate the device; 

if the device gives the correct output, then conclude 
that the bit is 1; otherwise, conclude that the bit is 0 
and reset it to 0. 

In addition to requiring only low-cost equipment, this attack can be carried out with 
very few probing actions. In particular, it takes 1.5 n probes on the average to recover 
an n-bit key. 



3 The m - Permutation Protection Schemes 

The m - permutation schemes [5,6] provide a physical encoding ( m permutations) of 
keys, along with a logical chip design and hiding the permutation wiring beneath the 
surface of the chip. The m permutations are considered as the „batch key“ which is 
known only to the manufacturers and to those who are legitimately programming the 
device. For example, the devices may be manufactured in batches of 10,000 devices 
all with the same batch key. A single customer purchases a batch of devices and is 
given the batch key so that he can program secret keys into the cards. 

There are several assumptions made. Firstly, the attacker is assumed to be a „clever 
outsider with moderately sophisticated equipment". Secondly, the encoded key is 
assumed to be stored in EEPROM and that the attacker cannot read the EEPROM 
directly. Finally, it is assumed that the attacker is not able to see the exact wiring (i. e., 
the batch key) of the devices. The following notations are used in the rest of this 
paper: 

K : The actual key bit vector with length of n bits. It is to be used by 

the card in encrypting, signing, etc. 

P : The physical key bit vector with length of p bits. It is the actual bit 

pattern stored in the EEPROM. 

n: : A permutation function, tt : (0, 1, 2, • ••, n - 1 } — » (0, 1, 2, • ••, n - 1 } 
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n ' : 

Element of n : 
n{K)\ 



The inverse function of the permutation n 

An element of the permutation table (i, ^(i)) (ie {0, 1, • ••, n - 1} ). 

It denotes the permuted result of K under the operation of tt , i.e., 
= (K). forO < i < n-1, where (K). denotes the value of 
the bit of K . 



3.1 One-Permutation Scheme [5] 

In this approach, the manufacturer chooses a random permutation of the n -bit key as 
the batch key and works as follows: 

Scheme 1. One-permutation Scheme 

1. The device manufacturer chooses randomly a permutation n: 

2. Set P = k{K) 

3. The wiring implements the inverse of n 

4. The device reads K from P since . 

The attacker can find the value of F as described in Section 2. Then the permutation 
7t can be determined as follows. The attacker first sets P as a vector with Hamming 
weight one, then operates the device to obtain an output. The value of K can be 
determined since the Hamming weight of K is also one due to the fact that 
K = ;r '(P) . Thus one element of tt is known. Repeat this process for n-1 times, 
the permutation 7t can be determined with about 3n probes. 



3.2 m - Permutation Protection Scheme [5] 

In the m - permutation scheme, the manufacturer chooses m random permutations of 
the n - bit key as the batch key and works as follows: 

Scheme 2. m- permutation protection scheme 

1. The device manufacturer chooses m permutations: - 

n, : {0,l,2, -,n-l}^{0,l,2, -,n-l} for 0</<n-l 

2. Let P = Pg I Pj I ... I P„_i , where | denotes concatenation and P = (K) . 

3. The wiring implements the inverse of those m permutations. 

4. The device reads from P„ , from Pj , . . . , ^ from P^ j . 

If Kg= K^= ... = ^ is not true, the device gives an error message. 
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The attack to break the one-permutation scheme could not be applied directly to the 
m - permutation scheme since without knowing the secret permutations, the modified 
values of P can pass the detection with negligible probability. 

As pointed out by Fung and Gray, some secret key with small Hamming weight 
could be recovered easily [5]. To eliminate such weakness, Fung and Gray proposed 
the revised m - permutation scheme [6] to hide the information about the Hamming 
weight of the secret key by introducing m random numbers into each device. The 
revised scheme is given in the next subsection. 



3.3 The Revised m - Permutation Protection Scheme 



In the revised m - permutation scheme, m random numbers are introduced into each 
device. 



Scheme 3. Revised m - permutation protection scheme 



1 . 

2 . 

3. 

4. 

5. 

6 . 

7. 

8 . 



Choose m as an odd number. 

The device manufacturer chooses m permutations 

as the secret information (batch key) for a batch of devices. 

n, : {0,l,2, -,n-l}^{0,l,2, -,n-l} for 0<i<n-l 
Randomly choose m « - bit words for each 

device. 

Store in the device P = | Pj | ... | P^ j where 

P=7t,{K® )) 

Store in the device P^ = | P^ | ... | P^ where P^ = K ® . 

The wiring implements the inverse of those m permutations. 

m-1 

The device decodes the key as A" = 

j=0 

The device then computes 



= (P.„. 

1=0 






where A and V indicates logical AND and OR respectively. 
If = K , then the device uses K in the crypto 

application; else return an error message. 



In the revised scheme (Scheme 3), the Hamming weight of the secret key is unknown 
after P and P^ being recovered under the EEPROM modification attack. Fung and 

Gray claimed that the attacker has only a probability of 2 to guess the n - bit key 
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K since the m permutations are unknown to the attacker. However, as we will 
present in Section 5, there exists an attack that can recover those permutations with 
only one device and about m X n V 3 probes. Once those permutations are recovered, 
the whole batch of devices is broken and the secret keys can be determined easily. 

4 Cryptanalysis of the Original m - Permutation Protection 
Scheme 

Fung and Gray have pointed out a weakness in their original m - permutation 
protection scheme that some keys with small or large Hamming weight could be 
recovered easily. In this section, we present an attack to break completely the original 
scheme with about 21 og 2 n devices from the same batch and about SxmXnxlog^ n 
probes. Our attack consists of two steps. In the first step, we determine the mappings 
between those m permutations by analyzing 21ogjn devices, i.e., we reduce the 
m - protection scheme to one-permutation scheme. In the second step, we recover the 
remaining permutation. We start with the first step. 

Assume that about 2\ogj^n devices from the same batch are available and the 
values of F (P = | Pj | ... | P^ j) in these devices are determined already by applying 

the EEPROM modification attack. The amount of probes needed here is about 
Sxmxnxlogj n . We denote P‘ as the value of P in the ith device. 

We know that P‘. = n . ° (Pg) since P'.=n.{K‘) and PJ = {K‘ is the 

secret key in the ith device). The permutation is determined as follows. 

Consider two (21og2n)Xn binary matrices M and N with the /th row M' = P‘. 
and N‘ = PJ . We note that M' = n ^ i.e., M is obtained by exchanging 

the columns of N under the permutation nj ° . Clearly, if all the columns of A 

are different, the permutation n ^ ° can be determined uniquely. Assume that all 
the keys are randomly generated, then the columns of the matrix N are n random 
elements in a set with rP elements. From the birthday paradox, the probability that 
all these elements are different is about 0.61 (for almost all the key length 
40<n<4096). Thus the permutations (0< j<m-V) could be uniquely 

determined with about 21ogj n devices with probability about 0.61. If a few elements 
of the permutations (0< j<m-\) could not be recovered (i.e., some 

columns of the matrix N are with the same value), some key bits would be unknown. 
However, those key bits can be determined easily by exhaustive search. In the rest of 
this section, we simply assume that n. ° (0 < j < m-V) are uniquely determined 

already. Then there is only one unknown permutation left, i.e., if we can find , we 
will know all the tt, since = (n. ° ;r„') ° . We give below the details to recover 
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To recover , we need to write a key with Hamming weight one into the device 
correctly so that (P^) = (P^ = ■ ■ ■ = ^ . If P^ is set as an n-bit word 

with Hamming weight one, then P. could be determined easily since P,=n^° ;r„'(P„) 
and n. ° k„' is known already. Thus we are able to write any key with Hamming 
weight one into the device. Once knowing the device output, the value of the key with 
Hamming weight one could be determined. Since P„ =n^{K) , one element of is 
determined. Set the bit with value 1 at different positions in P^ and repeat the attack, 
we could recover with about 2xmXn probes. 

From TTg and n. ° (i = 1,- • •, m - 1) , we know all the permutations and thus can 
break the m- protection scheme. About 21og2n devices are needed in this attack 
and the total amount of probes needed is about 3mXnxlog^n + 2mXn 
= (31og2 n + 2)XmXn . 

The attack in this section needs about 21og2n devices from the same batch. In 
case devices from a number of batches are well mixed, a simple method could be used 
to group those devices. We write the P of one device into all the devices, then those 
devices that operate properly belong to the same batch. 



5 Cryptanalysis of the Revised m - Permutation Protection 
Scheme 

In the revised scheme, m random numbers are introduced into each device to hide the 
information of the Hamming weight of the secret key. However, the revised scheme is 
in fact more vulnerable than the original one since those random numbers leak the 
information about the permutations. With only one device, those permutations could 
be recovered with about mXn 13 probes. Similar to the attack in Section 4, the 
attack in this section consists of two steps. The first step of the attack is to reduce the 
m - protection scheme to one-permutation scheme by modifying the random 
numbers. The second step is to recover the remaining permutation. We start with the 
first step. 

Assume that the values of P and in a device are determined already by 
applying the EEPROM modification attack. We note that those m numbers 
(i = 0,1,- • •, m - 1) in the revised scheme are randomly chosen. Obviously, if we 
replace any with another random number, the value of the secret key K will not 
be affected and the device will operate properly. Suppose we want to modify the yth 
bit of a particular random number . This bit is denoted as A^^ . We know that this 
bit appears only in P„ , and since 

P,=K®K,, 



(1) 
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{K,_ )) (2) 

iK © {K, _ ) © )) (3) 

Modifying the bit in is trivial since we only need to invert the value of 
. Modifying in and without knowing the permutation 

■^i-imodm ° •^,_ 2 modm ° Tequires about nV2 trials on average. Thus with about 

rP probes, we could modify the value of successfully (If it is not modified 

correctly, the device gives error message). If the values of > ^-imod/ ^- 2 mod/ 
are modified and the device operates properly, we know from (1), (2) and (3) that 

^,-l™d» ° ^iU) = / , ^.-2mod. ° ^iU) = f 

We thus determined one element of ° n. and .^,_ 2 modm ° • Repeat this attack 

for the rest bits of AT^, , •^,_i„odm ° and ^,_ 2 modm ° are recovered with about ^ 

1=2 

probes. Similar attack can be applied to recover the permutations and 

■^i- 2 modm ° (* = m - 1) . From these permutations, n, ° (i = 1,- • •, m - 1) are 
obtained as follows: 

TTi o TTg'^ = (TT^ o ) ° (TT^ ^ ° ) ' ' ' (^i 

= (^, ° ^,'.i™d„ ° ^,;in.„d„ ° <1 ) ° (^.-1 ° ° ° <2 ) 

o;t-2 0 :^ 2 ' o;^o') (4) 

= (^, ° ^,'.l™d» ) ° (^,-1 ° ^,.l™d„ ° (^.-1 ° ^, ) ° (^,-2 ° )“' 

o;T2)o(;r„o;r2)“' 

After ;r,. ° ' (i = 1,- • •, m - 1) being recovered, only ;r„ remains to be recovered. 

To recover TTg , we need to write a key with Hamming weight one into the device 
correctly, i.e., the values of K and (i = 0,1,- should be set correctly in P 

and Pjg . We deal first with K . We choose K as an n - bit word with Hamming 
weight one. It appears in P (i = 0,1,- • •, m - 1) and P^^ (i = 0,1,- • •, m - 1) . The value of 
K in P^ is K itself since P„ = A" © (i = 0,1,- • •, m - 1) . But K „ , the value of K 
in Pg , is unknown since Kg = 7Tg(K) and TTg is unknown. We randomly set Kg as an 
n-bit word with Hamming weight one. The probability that Kg = 7Tg(K) is n '. 
After setting the value of K in Pj, , the value of K in P could be determined since 
K. =n^{K) = n, ° Kg'" {Kg) and n. is known from (4). Thus the values of K in 
P and Pjg are determined with probability n' . We then deal with the random 
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numbers (i = 0,1,- • m - 1) . The simplest way is to set their values as zero. Then 
their values in P and are zero. Now, we are able to write a key with Hamming 

weight one into a device with success rate n ' . Once the device operates properly, we 
know that the key is written successfully into the device. If that happens and the bit 
and K' are with value one, then / = ^o(y) ’ element of is recovered. 

The amount of probes needed is about mXn . Repeat this attack, we could finally 

recover TTg with about ^mxi probes. 

i =2 

After recovering TTg and n.^ o (i = 1,- • •, m - 1) , we break the revised m - 
protection scheme completely. Only one device is needed in this attack and the total 

amount of prohes needed is about mXnV3. 

i =2 1=2 

In the next section, we will discuss whether the revised protection scheme could be 
strengthened or not. Our analysis gives negative result. 



6 Is It Possible to Strengthen the Revised Scheme 



The attack in Section 5 is based essentially on the fact that each random number 
appears at only three locations in the EEPROM. The mappings between the 
permutation tables could be determined by modifying one by one the hit of those 
random numbers. To resist the attack in Section 5, each random number should appear 
at far more than three locations in the EEPROM. For example, the P in the revised 
scheme can be modified as 



P,=71,{K® )■■■ ©;r,3„„,„ ) , 



then each random number appears at eight positions in the EEPROM. However, the 
revised scheme strengthened in this way is still not secure. We can recover those 
permutation tables if about mXn devices from the same batch are available. In the 
rest of this section, we present a new attack to break only Scheme 3, but the same 
attack can be applied to the scheme where each random number appears at a number 
of locations in the EEPROM. 

Assume that about mXn devices from the same batch are available and the values 
of P (P = Pj, I Pj I ... I j) and Pjg (Pc = Pd I these devices are 

determined already by applying the EEPROM modification attack. The amount of 
probes needed here is about ?>x{mnf . We denote P' and PI as the values of P and 
P^ in the ith device, respectively. 

Our aim is to write a P' with Hamming weight one into the device. Fung and Gray 
have considered this kind of attack and concluded that it is impossible to apply it to 
break their revised scheme [6] . They consider that if a P' with Hamming weight one 
is written into the EEPROM and the value of P^ is randomly set, then the probability 




106 



H. Wu et al. 



that the device could operate properly (no error message) is negligibly small (about 
2 However, with about mXn devices from the same batch, it is possible to 
construct a right pair (P' , P'c) right pair means that with which the device operates 
properly and gives no error message). The method to construct such a pair is given 
below. 

Algorithm 1 . This algorithm is to construct a pair ( P', P^ ) for any given P' . It 
needs m x n devices from the same batch. 

1. Form two mnXmn binary matrices M and N with the ith column 
M. = (P‘Y and N. = (P^f . 

2. Solve the linear equations M ■ = P'^ . Let P^ = {N ■ x^ Y . 

3. The pair ( P', P ^ ) is the one we need. 

Then we need to show: 1) the equation M ■ x^ = P'^ could be solved, i.e., the matrix 
M is invertible with large probability, 2) with the pair ( P', P ^ ) generated in 
Algorithm 1, the device operates properly. 

To show that the Matrix M is invertible with large probability, we start with the 
following theorem. 

Theorem 1 . In Scheme 3 (the revised protection scheme), assume that all the keys 
and random numbers in the devices are generated independently and randomly. 
Choose mXn devices from the same batch. Form an mn X mn binary matrix M , 
with the ith column M . = (P‘ Y ■ Then the matrix M is a random matrix. 

The proof of Theorem 1 is given in the Appendix. In theorem I, we deal only with 
Scheme3. But the same result could be obtained if each random number appears at 
more than three locations in the EEPROM. 

Erom Theorem 1, we know matrix M is randomly generated. So it is invertible with 
probability about 0.29. With slightly more than mXn devices, an invertible matrix 
M could be formed. So the pair ( P', P ^ ) in Algorithm 1 can be obtained. 

Then we show below that with the pair ( P', P '^ ) generated in Algorithm 1 , the 
device operates properly. 

Theorem 2. In Scheme 3, choose any n devices from the same batch. Let 

n-1 n-1 

^' = © P' and ^ P‘ . If P' and P^ are written into the device, the device will 

1=0 1=0 

operate properly (no error message is given). 
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n-l n-1 n-1 

Proof. Since P' = @P‘ and P^ = @ PI , it is equivalent to encode a key K‘ 

j=0 j=0 j=0 

n-\ 

with m random numbers A"' (7 = 0,1,- • -.m-l) . Thus, the key K' will be 

j=0 

decoded correctly and the device will operate properly. 

From the discussion above, we know that from slightly more than mXn devices, a 
right pair ( P', P^ ) in which the Hamming weight of P' is one could be obtained 
easily. Once we obtained such a pair, we could recover one element of those 
permutation tables as follows. Suppose only the bit P'. in P' is with value one. 

m-1 

From Scheme 3, we know that the key K' is decoded as K' ’=@7i-\p:)=7i-\py 

/=0 

So the Hamming weight of K' is only one. By analyzing the output of the device, the 
value of K' can be determined. Suppose the bit with value one in K' is K'., , then 

y' = ;rr'(y), i.e., one element of n, is recovered. Set the non-zero bit at other 
positions in P' and repeat this attack, we can finally recover all the permutation 
tables. The amount of probes needed is about mnx(0.5mn) = 0.5 x(mXn)^. 

The attack in this section thus break the revised protection scheme even if the scheme 
allows each random number appearing at more than three locations. It needs slightly 
more than mXn devices from the same batch. The total amount of probes needed is 

about 3x{mnY +0.5x{mnY = 3.5 x(mn)^ . 



7 How to Prevent the EEPROM Modification Attack 

We now know that all the m- permutation schemes are not secure. The flaw in those 
schemes is that those m permutations could be reduced to one permutation. We note 
that all the attacks in this paper have one common step: a key with Hamming weight 
one is written into the EEPROM to recover the permutation table element by element. 
To hide the permutation, we believe that the most essential way is to disallow a key 
with too small (or too large) Hamming weight being written into the device. Based on 
this observation, we give below a fairly simple and efficient scheme to resist the 
EEPROM modification attack. 

Scheme 4. This scheme protects an n-bit secret key against the EEPROM 
modification attack with the use of only one n - bit permutation. It is the 
strengthened version of the one-permutation scheme given in Subsection 3.1. 

1. Choose a permutation n: as the batch key. 

2. Choose the secret key K with Hamming weight n/2 . 

3. Let P = n{K) and write P into the EEPROM. 

4. The wiring implements the inverse of n . 
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5. The device reads K from T* . If the Hamming weight of K is n/2, K 
is accepted; otherwise, the device gives error message. 



The value of P could be recovered by applying the EEPROM modification attack. 
However the permutation n could not be recovered. The reason is that the output of 
n (the value of P ) is known, but the input of n (the value of K) is unknown. By 
applying the EEPROM modification attack, the secret key could only be recovered by 



exhaustive search and the complexity is 0.5 X 



n/2 



. For n = 128 , the complexity is 



V y 

about 2'^^ '’ and it is sufficient to defeat the exhaustive key search. We thus believe 
that Scheme 4 is sufficient to resist the EEPROM modification attack. However, it 
should be noted that any compromise of the secret key degrades the security of the 
devices of the same batch. 

As pointed out by the anonymous referee, some public key cryptosystems such as 
RSA do not allow the Hamming weight to be controlled. Scheme 4 could not be used 
to protect the private keys in these cryptosystems. To resist the EEPROM 
modification attack, we recommend the use of a hash function. The one-permutation 
scheme in Subsection 3.1 is used to protect the key together with its hashed value. The 
device hashes the key and compares the result with the hashed value stored in the 
EEPROM. If these two values are equal, the key is used in the crypto applications; 
otherwise, the device gives error message. 



8 Conclusion 

In this paper, we showed that Fung and Gray’s original and revised m - permutation 
schemes are not secure. We then proposed a very simple and efficient scheme to resist 
the EEPROM modification attack by allowing only the key with Hamming weight 
n/2 being written into the device. 
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Appendix. Proof of Theorem 1 

Lemma 1. Consider the operation over GF(2) . Let and be two mxn 
(m < n) binary matrices. If is with rank m and each element of Aj is generated 
independently and randomly, then ■ {Nff is randomly generated. 

Proof. Select m linearly independent columns from and form an mXm matrix 
N[ . The remaining columns form a matrix N" . Select any m columns from 
and form an mXm matrix A' . The remaining columns form a matrix N" . Clearly, 
the matrix N'fN'^Y is randomly generated since N' is an invertible matrix and A' 
is a random matrix. The matrix Aj • ( A ^ Y = N' ■ (N'^Y + N"' (.N^Y . where A' • (N[Y 
and a"- {NfY are two independent matrices since N[ and A^ are independent from 
each other. So the matrix Aj • (A^)^ is randomly generated. 

Lemma 2. An mx{m + \) binary matrix M , if M,,=M..^j=l for 0<i<m-2, 
=1 and all the other elements are with value 0, i.e., M is in the following 

form: 
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"l 


1 


0 


0 


... 0 


o“ 


0 


1 


1 


0 


... 0 


0 


0 


0 


1 


1 


... 0 


0 


0 


0 


0 




1 1 


0 


0 


0 


0 




0 0 


1 



Then the rank of M is m . 



Proof. Consider the last m columns of M . They form an mXm triangular matrix 

m-1 

M' . det(M^ = the rank of M' is m . So the rank of M is m . 

j=0 



Lemma 3. For an m X m binary matrix M , if j = 1 for { (i, j) | i = j , or j = m or 
i = m] and the other elements are with value 0, i.e., M is in the following form: 



"l 


0 


0 


0 ■ 


■ r 


0 


1 


0 


0 ■ 


■ 1 


0 


0 


1 


0 ■ 


■ 1 


0 


0 


0 


1 ■ 


■ 1 


1 


1 


1 


1 ■ 


■ 1 



Then the rank of M is m if and only if m is an odd number. 

Proof. Denote an i X i matrix M in the form of (A.2) as . The following 
relationship holds: 



det(M,,^„,(,^„) = l + det(M,.,,). 

Since det(M,^j) = 1 , we know that det(M) = m mod 2 . So if and only if m is an odd 
number, det(M) = 1 , i.e., the rank of M is m . 

Theorem 1. In Scheme 3 (the revised protection scheme), assume that all the keys 
and random numbers in the devices are generated independently and randomly. 
Choose mXn devices from the same batch. Form an mn X mn binary matrix M , 
with the ith column M , = {F f . The matrix M is randomly generated. 

Proof. Let r'. (0 < i < mXn -1,0 < j < m) be n-bit binary numbers, rj = 
■^j+imodm ) for j<m-l and rl = K‘ (where is the y + lth random 




Cryptanalysis of the m - Permutation Protection Schemes 



111 



number in the ith device and K‘ is the key in the ith device. Assume K'^ and 

K‘ are generated independently and randomly, so (0 < i < m X n - 1, 0 < j <m) 
are generated independently and randomly. 

Let s'. (0 < i < m X n - 1, 0 < j <n-V) be (m + 1) - bit binary numbers, the kth bit 

of s' is determined from , i.e., s' 

(0 < i < m X n - 1, 0 < j <n) are the permuted result from r'. (0 < i < m x n - 1, 

0 < j <m) . Clearly, the elements s'. ^ are generated independently and randomly. 

Form an (m + l)nxm« matrix S with 5. , = . Since every 

element of S is generated independently and randomly, the probability that with 
rank mn is about 

Forman mnx(m + V)n matrix T and an mnXmn matrix P : 





0 


0 


0 


... o" 




~P. 


0 


0 


0 ■■■ 


o“ 


0 


t; 


0 


0 


... 0 




0 


p. 


0 


0 ■■■ 


0 


0 


0 


T, 


0 


... 0 


P = 


0 


0 


p. 


0 ■■■ 


0 


0 


0 


0 


T, 


... 0 




0 


0 


0 


p. - 


0 


0 


0 


0 


0 


- T, 




0 


0 


0 


0 ■■■ 


p.^ 



where is an mx{m + Y) binary matrix in the form of (A.l) and is an mXm 
matrix in the form of (A.2). From Lemma 2 and 3, it is easy to see that both P and 
T are with rank mn . 

Define an mnXmn matrix M' as M' = P T ■ S . From Lemma 1, we know that 
M' is randomly generated since P and T are with rank mn and S is randomly 
generated. 

The matrix M formed in Scheme 3 could be considered as being formed by 
exchanging the columns of M' . So the matrix M is randomly generated. 
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Abstract. In this paper we describe an implementation of the DES 
(and Triple-DES) algorithm using the bitslicing technique on an Intel 
Pentium MMX processor. Implementation specifics are discussed and 
comparisons made with an optimised C-coded DES implementation and 
an assembly language DES implementation. This paper sets the scene for 
future research of the inter-relation between design and implementation 
of the newer 128-bit symmetric block ciphers. 



1 Introduction 

Symmetric block cipher design is, by necessity, influenced by the technology to 
be used in the implementation of the cipher. The primary goal of a cipher is to 
provide security, with its optimisation of implementation being a very important 
secondary consideration. 

Early cryptographic processing was generally a bottleneck in communications 
and its implementation in hardware was necessary to optimise its speed. Today 
commodity microprocessors are available which can, in general, process software 
implementations of ciphers quickly enough for most purposes. Of course there 
are benefits of hardware devices for performing cryptographic processing such as 
the secure storage of keys due to tamper-resistance. However, there are numerous 
applications such as web browsers and email encryption utilities where ciphers 
are implemented in software and hence, here we focus on optimisation issues in 
software implementations of block ciphers. 

Many optimisation techniques tend to be a trade-off between storage and 
speed. The storage of large amounts of information may be acceptable on plat- 
forms that are unrestricted by memory limitations but may not be possible on 
other platforms where the amount of available memory is minimal (such as a 
smart card). 

Optimised cryptographic code is generally either purchased from a vendor or 
written in-house. People who optimise cryptographic algorithms, complemented 
by an appreciation of architectures and platform instruction sets, possess a very 
specialised skill. As technological advances and platform diversity proliferate the 
demand for these skills increases accordingly. Optimised code and methods for 
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achieving it are generally closely-guarded secrets, with information in the public 
domain being scarce. In this and consequent papers, the authors’ contribution 
is to make our findings and applications available in the public literature. 

The Data Encryption Standard (DES) [3] has been the symmetric block ci- 
pher standard since 1976 and is the most commonly studied cipher due to its 
widespread use. Many different techniques can be used to improve the efficiency 
of DES (for example [2]). One recent technique which indicates a path to fa- 
ster implementation of some encryption algorithms is the use of bitslicing. This 
technique was applied by Eli Biham in 1997 [1]. Section 2 discusses some imple- 
mentation and optimisation issues with the Pentium MMX platform. Section 3 
compares the C, assembler and bitsliced MMX DES implementations and investi- 
gates three potential S-box algorithms. Section 4 discusses some quite restrictive 
limitations of MMX bitslicing regarding modes of operation and the platform 
itself, whilst Section 5 concludes the paper. 

2 Issues in Implementing Bitslicing on a Pentium 

Bitslicing enables the DES S-boxes to be represented in software by their logical 
gate circuits. Bitslicing, essentially, encrypts one bit at a time. If the imple- 
mentation platform allows for parallel data processing then, in effect, a number 
of single-bits are encrypted simultaneously. Intel Pentium MMX technology is 
one such platform that uses a 64-bit register for parallel data processing. These 
processors are very relevant to cryptographic application as they are in such 
widespread use, particularly in commerce which is one of the heaviest users of 
cryptography. 

In the case of a 64-bit processor, bitslicing enables sixty-four datablocks 
to be processed concurrently. This section is concerned with implementing the 
complete DES cipher using the bitslicing technique. The Pentium MMX bitsliced 
code in this paper was produced by using the Visual C-| — h compiler with in-line 
assembly. 

In his paper Biham described a new optimised bitsliced DES implementation 
on a 300MHz Alpha 8400 consisting of thirty- two 64-bit integer registers. As 
was shown on such a computer, it is possible to gain a significant speed-up over 
standard implementations using the bitslicing technique as sixty-four datablocks 
are encrypted simultaneously. Biham’s implementation ran three times as fast 
as the fastest implementation at that time (Eric Young’s libdes [8] which was 
designed for 32-bit architectures). 

Section 2.1 summarises the MMX instructions employed in the bitsliced im- 
plementation and also notes some subtleties in their use. Section 2.2 discusses 
some Pentium-specific optimisation techniques. 



2.1 MMX Instructions 

Intel’s MMX architecture was designed specifically to enhance the performance 
of advanced media, multimedia and communication applications. It achieves this 
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through the introduction of new dedicated 64-bit integer registers, a new instruc- 
tion set which allows for data parallelisation and a superscalar architecture which 
enables instruction- level parallelisation. 

The MMX instruction set adds fifty-seven new instructions. The six instruc- 
tions used in the MMX implementations discussed in this paper are: 



EMMS enables the MMX registers to be aliased on the floating point unit 
MOVQ moves a 64-bit word between registers/memory and registers/memory 
PXOR binary EXCLUSIVE-OR 
PAND binary AND 

PANDN binary NOT followed by binary AND 
POR binary OR 

The EMMS, MOVQ, PXOR and POR instructions are straightforward and 
give no surprises in their application. The use of the PAND and PANDN in- 
structions, however, contain subtleties which we now address. 

The PAND instruction performs a binary AND on sixty-four bits of data 
from an MMX register or memory to an MMX register. For example, the code 
PAND MMOjMMl performs a bitwise logical AND of the contents of MMO and 
MMl and stores the result in MMO. 

The PANDN instruction firstly inverts (complements) the sixty-four bits in 
an MMX register and then ANDs the inverted MMX register contents with 
another MMX register or memory. For example, the code PANDN MMO, MMl 
initially inverts the contents of MMO, and then performs a bitwise logical AND 
of the result and the contents of MMl. The result is stored in MMO. 

Using the PANDN instruction requires multiple additional instructions when 
compared to storing a NOT value using C code and then using the PAND as- 
sembly instruction. This is because the value to be inverted must be in the first 
operand and this value is destroyed during the execution of the instruction, re- 
sulting in multiple additional instructions being required to retain the initial 
value in the first operand. 

Bitslicing DES S-boxes requires the use of a bitwise logical AND and a bitwise 
logical NOT instruction that performs a bitwise logical NOT on a 64-bit data- 
block. As there is no MMX NOT instruction, it is necessary to use the PANDN 
instruction. This limits the processing speed of the S-boxes severely due to the 
multiple extra instructions required to maintain the state of the registers. 



2.2 Pentium 

The management of Intel’s branch prediction technique is an important tool to 
be used in any attempt at optimisation on the Pentium. Branch prediction oc- 
curs when a probabilistic decision, based on past events, is made by the compiler 
as to the address of the next instruction. Optimising branch prediction techni- 
ques is most beneficial where the code uses if/then/else statements, particularly 
in connection with looping structures. In this paper’s MMX implementation, 
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the use of if/then/else statements is kept to a minimum, so this optimisation 
technique is not beneficial to our implementation. 

The dual-pipelining architecture in the Pentium enables two individual in- 
structions to execute in two processors (the u pipe and the v pipe) simultaneously, 
referred to as pairing the instructions. Maximal pairing can result in significant 
reductions in the number of clock cycles needed to implement code sections. The 
u pipe is the master processor whilst the v pipe is the slave processor. If there is 
no pairing of instructions, all instructions are fed through the u pipe whilst the 

V pipe remains empty. If there is maximal pairing of the instructions, half the 
instructions are fed through the u pipe and the other half are fed through the 

V pipe simultaneously. Therefore the aim of optimising by pairing instructions 
is to write code in such a way that the compiler keeps both pipes full. This 
dual-pipeline instruction processing is called superscalar parallelism. There are 
certain restrictions on the type of instructions that can be paired, mostly to 
do with the complexity of the individual instructions and the limitations of the 
supporting hardware. This approach applied to each of the eight S-box imple- 
mentations resulted in a reduction of, on average, 23.6% of the original number 
of clock cycles. 

3 Comparison of DES Implementations 

This section compares the C, assembly (Eric Young’s C and assembly imple- 
mentations [8]) and MMX implementations with respect to various techniques. 
Code optimisation is, in general, a function of both the algorithm and the im- 
plementation language conjointly. Several different techniques are presented and 
discussed in this section. 

Section 3.1 discusses the initial and final permutations. As the implementa- 
tion of the DES S-boxes is the overriding factor in its optimisation, several S-box 
Boolean function algorithms are investigated with regard to their suitability for 
MMX implementation. Section 3.2 discusses the applicability of MMX instruc- 
tions to these S-box algorithms. Section 3.3 gives a single-round comparison. A 
complete DES implementation comparison is given in Section 3.4, while Section 
3.5 addresses Triple-DES implementations. 

3.1 Permutations 

Permutations are inefficient in software. Patterns in the permutations make the 
use of look-up tables and streamlined operations possible. The SWAPMOVE 
technique, which we now describe, requires no memory and is extremely efficient 
for the IP, FP and PCI permutations of DES. This technique is utilised in 
versions of DES available from the Internet (for example Eric Young’s lihdes 
[8]). Consider the following process: 

SWAPMOVE(A, B, N, M) 

T = ((A » N) © B) & M; 

B = B © T; 

A = A © (T « N); 
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In this process the bits in B, masked by M, are swapped with the bits in A, 
masked by (M << N). 

The IP can be performed using five SWAPMOVE operations, totalling thirty 
logical operations. This is an extremely efficient implementation technique. The 
permutation FP is performed by reversing the order of the five SWAPMOVE 
operations used in IP. PCI can be performed in a similar manner, requiring sixty- 
four logical operations. The optimised C and assembler codes use the SWAP- 
MOVE procedure, but the bitsliced implementation does not. 

SWAPMOVE is a function based on the positions of the bits within a block. 
Although it is an extremely efficient technique for a C-coded implementation it 
cannot be used in the bitsliced implementation as the block bit positions are 
changed; therefore a standard IP permutation was used in the MMX code and, 
as can be seen in Table 1, it was faster than the optimised DES version that used 
the SWAPMOVE procedure. This speed-up is gained due to the 64-bit parallel 
processing bitslicing allows. 

Table 1. Initial Permutation (IP) 



Code 


Clock cycles/ 
64 DES data blocks 


C DES 


2659 


Assembler DES 


1541 


Bitsliced DES 


148 



3.2 S-box Implementation 

S-boxes that are implemented using Boolean functions are generally slower than 
when implemented using look-up tables however, when using them to process 
sixty-four word blocks in parallel, they give a more optimised S-box implemen- 
tation. 

There are multiple Boolean functions which can represent the DES S-boxes 
and be implemented efficiently. Schaumuller-Bichl’s Method of Formal Coding 
[6], Shimoyama’s algorithm [7] and Kwan’s algorithm [4] were implemented for 
comparative purposes. 

Kwan’s algorithm is clearly the fastest when written in the C language (Table 
2). All algorithms were also programmed using MMX instructions (Table 3). 
Kwan’s algorithm remained the fastest, although there was also a substantial 
speed improvement for Schaumuller-Bichl’s algorithm. Shimoyama’s algorithm 
written in MMX assembly language (Table 3) did not show significant speed 
improvement due to the multiple variables involved in the algorithm. 

A note on timings: With each new Intel Pentium processor some instructions 
execute in a reduced number of clock cycles. In our experience we found that 
the difference between the Pentium II and Pentium III was not substantial. The 
timings for all tables in this paper were performed on a 500 MHz Pentium III. 
We found the Pentium with MMX processor to be, on average, twenty percent 
slower than the Pentium II/III. 
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Table 2. Comparison table of C-coded S-box algorithms 





Code 


Clock cycles/ 
64 S-box 1 inputs 


17 


Schaumuller-Bichl (SB) 


243 




Shimoyama (S) 


235 


7U 


Kwan (K) 


150 



Table 3. Comparison table of MMX-coded S-box 1 implementations 





Code 


Clock cycles/ 
64 S-box 1 inputs 


17 


Schaumuller-Bichl 


137 




Shimoyama 


226 




Kwan 


90 



Table 3 clearly indicates that the most suitable algorithms for MMX imple- 
mentation are Schaumuller-Bichl’s Method of Formal Coding and Kwan’s algo- 
rithm. 

Using Schaumuller-Bichl’s algorithm, S-box 1 was implemented in four diffe- 
rent ways (Table 4). 

Table 4. Comparison table of S-box 1 implementations using the Schaumuller-Bichl 
algorithm 





Code 


Clock cycles/ 
64 S-box 1 inputs 


T7 


Using variables and PANDN 


166 




Using minimal variables and PANDN 


245 




Using variables and store NOT values 


174 


4. 


Using minimal variables and store NOT values 


137 



In Table 4 Implementations 1 and 2 are compared as they differ only in 
the number of variables used, as opposed to the number of registers used. This 
comparison indicates that using variables to store data, as opposed to trying to 
store them in the registers, makes for faster implementation as well as easier 
coding. Alternatively a comparison of Implementations 3 and ^ (which differ 
only in that the latter uses fewer variables) indicates that using fewer variables 
is faster. Therefore, in general, the effect of the number of variables used is 
inconclusive. In Table 4, Method 4 was the fastest, therefore it was used for 
all eight S-boxes in the final DES bitsliced implementation using Schaumuller- 
Bichl’s algorithms. 

Kwan’s S-box 1 implementation was faster than Schaumuller-Bichl’s imple- 
mentation (Table 3), therefore Kwan’s algorithms for the eight S-boxes were also 
implemented for the final DES bitsliced comparisons. 
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Table 5 gives the timings for each of the eight S-boxes for both algorithms. For 
each of the S-boxes Kwan’s algorithm produced the fastest MMX code. However, 
as will be discussed in Section 3.4, the full DES implementation using Kwan’s 
S-box algorithms actually executed slower due to pre-processing and overheads 
in execution. 



Table 5. Eight individual MMX S-box implementations 



S-box (64 inputs) 


1 


2 


3 


4 


5 


6 


7 


8 


S clock cycles 


137 


111 


123 


172 


152 


124 


140 


135 


K clock cycles 


90 


95 


87 


80 


101 


98 


96 


88 



3.3 A Single Round of DES 

A single round of DES for each of the four approaches was applied and the 
results compared. Table 6 indicates that the bitsliced implementation using the 
Schaumuller-Bichl S-box algorithms is the most optimal. 

Table 6. One round 



Code 


Clock cycles/ 
64 DES data blocks 


C DES 


17786 


Assembler DES 


14255 


SB Bitsliced DES 


10597 


K Bitsliced DES 


18831 



3.4 Complete DES Implementations 

The complete DES implementation includes all the previously-mentioned com- 
ponents. Table 7 indicates that the complete bitsliced DES using Schaumuller- 
Bichl’s S-box algorithms is 68% faster than the complete C-coded DES and 35% 
faster than the assembler DES. Timings were performed on a 500 MHz Pentium 
HI. 



Table 7 . Complete DES implementation 



Code 


Clock cycles/MByte 


Mbps 


C DES 


72857172 


54.90 


Assembler DES 


58389896 


68.50 


SB Bitsliced DES 


43405661 


92.15 


K Bitsliced DES 


77130624 


51.86 
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It is of interest that, even though the implementations of each of the indivi- 
dual S-boxes is, on average, 33% faster using Kwan’s algorithms (Table 5), the 
final DES bitsliced implementation (Table 7) using Kwan’s S-box algorithms 
was 45% slower than using Schaumuller-Bichl’s S-box algorithms. This signifi- 
cant difference is attributed to the fact that Kwan’s S-box algorithms require 
substantially more variables to implement (and hence more pre-processing and 
overheads) than Schaumuller-Bichl’s S-box algorithms. 

This finding indicates that, using MMX technology, it is important to balance 
the number of variables and the number of logic gates used in the algorithm due 
to the limited number of MMX registers and the limited instruction set. If the 
MMX platform had thirty-two MMX integer registers instead of the currently- 
available eight, the full DES implementation using Kwan’s S-box algorithms 
should be faster than the Schaumuller-Bichl algorithms. 

3.5 Triple-DES Implementation 

Triple-DES was implemented using the procedures from both bitsliced DES im- 
plementations. From a programming perspective, the only difference between 
Triple-DES and standard DES (other than tripling the number of DES procedu- 
res performed) is that Triple-DES does not require the IP and FP permutations 
between the first and second single DES, and the second and third single DES, 
since they are the inverse of each other. The initial permutation before the first 
single DES and the final permutation after the third single DES are still required. 

The Schaumuller-Bichl bitsliced Triple-DES (Table 8) is the fastest imple- 
mentation. Timings were performed on a 500 MHz Pentium III. 

Table 8. Triple DES implementation 



Code 


Clock cycles/MByte 


Mbps 


C DES 


183315583 


21.80 


Assembler DES 


140440785 


28.48 


SB Bitsliced DES 


127064841 


31.48 


K Bitsliced DES 


185454810 


21.00 



4 Limitations 

There are some limitations in using bitslicing both in general and also on a Pen- 
tium MMX platform. The bitslicing technique has some restrictions in general in 
respect to common modes of block cipher implementation, which are discussed 
in Section 4.1. The Pentium MMX platform has some restrictive limitations for 
the bitslicing application when compared to the Alpha 8400 (Section 4.2), but 
it is in much more widespread use than the Alpha and so is a more acceptable 
block cipher implementation platform. Section 4.3 explains the requirements of 
data-format conversion for the bitslicing technique. 
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4.1 Modes of Operation 

Bitslicing implementations are suited to encryption and decryption using Elec- 
tronic Code Book (ECB) mode. Since sixty- four data blocks are encrypted or 
decrypted simultaneously using the bitslicing technique, the method is not sui- 
table for use with traditional block cipher modes where the current data block is 
reliant on the output from a previous data block encryption or decryption. These 
modes are Cipher EeedBack (CEB) encryption, Cipher Block Chaining (CBC) 
encryption, and Output EeedBack (OEB) encryption and decryption. With both 
the CEB and CBC modes the ciphertext is available (without the necessity of ha- 
ving to reproduce it in the decryption process), so the bitslicing implementation 
can be used for decryption in these modes. Traditional feedback and chaining 
modes of operation are used in most applications of DES, so this is a major 
limitation of the bitslicing implementation technique. 

In his paper Biham proposed a CBC-like mode where the IV is 4096 bits 
and the entire 4096-bit ciphertext (64 x 64-bit blocks) block is XORed with 
the ensuing 4096-bit plaintext block. This mode would overcome some of the 
shortcomings associated with the ECB mode of operation. 

There would, however, be security problems associated with using this CBC- 
like mode operated on a 4096-bit block. For example, the traditional CBC mode 
operated on the standard 64-bit block offers a means of producing a Message 
Authentication Code (MAC). One of the intrinsic security features of the MAC 
(produced by DES encryption in traditional 64-bit CBC mode) is that the MAC 
is a function of every bit of the message or, conversely, every bit of the message 
used to generate the MAC is diffused across the entire MAC. In the case of a 
4096-bit CBC-like mode this would not be the case since diffusion of a particular 
bit of the message would be restricted to a particular 64-bit subblock and not 
the entire 4096-bit block, as is a basic requirement of a MAC. 

ECB mode however is still used in some applications, and these applications 
will directly benefit from the DES bitslicing implementation. 

4.2 Pentium MMX Platform 

A limiting restriction of the Pentium is that only eight MMX registers are avai- 
lable. A DES bitsliced implementation requires a minimum of six registers, one 
for each S-box input bit Xj. The remaining registers are used as accumulators 
and for other intermediary tasks. In the case of the Pentium this leaves only 
two registers for these housekeeping tasks, which is insufficient for producing 
optimised code. 

Where the available MMX registers are inadequate for the necessary tasks 
the programmer must use non-MMX 32-bit registers. Moving data to and from 
the non-MMX registers requires more use of the MMX move command which 
increases the number of instructions necessary in the implementation, as well 
as the extra overheads involved with swapping between a 64-bit and a 32-bit 
word size. The Alpha 8400, having four times as many integer registers as the 
Pentium MMX, would not have these restrictions. 
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Another restriction on programmers is that the MMX instructions accept 
only two operands. This necessitates more frequent moving of data within the 
registers and, consequently, produces code with more instructions. The restric- 
tive PANDN instruction and the absence of a 64-bit logical NOT instruction 
(Section 2.1) are also limiting factors. 

Biham’s fastest DES bitsliced implementation was 137 Mbps on a 300MHz 
Alpha 8400 processor. The fastest 500MHz Pentium MMX bitsliced implementa- 
tion in this paper is 92 Mbps, which is a respectable result given the limitations 
of the platform and its instruction set, especially the minimal number of MMX 
registers. 

4.3 Data Conversion 

The data for the bitslicing implementation needs to be read into the registers 
in a non-traditional format. The inverse of this initial reformatting must also be 
performed at the end of the data processing. There is an overhead cost involved 
with this reformatting. We did not include the cost of data preparation or refor- 
matting in any implementation. When used in situ, the code would be executed 
by a call from the Application Program Interface (API) which would incorporate 
any necessary reformatting before and after encryption and decryption. 

5 Conclusion 

In this paper the technique of bitslicing is applied to the DES algorithm on 
the very widely-used Intel Pentium MMX processor at a speed of 92 Mbps. 
Pentium implementation and optimisation issues are discussed. Some application 
limitations of bitsliced DES are identified, and a comparison of the C, assembler 
and bitslicing approaches is made. 

Our research goal is concerned with implementation issues of symmetric block 
ciphers and how they affect the design of ciphers. 

In this paper we have discussed a wide range of implementation issues of the 
DES symmetric block cipher. Our future research will concentrate on investi- 
gating implementation issues with respect to the new 128-bit block ciphers (for 
example, the new AES candidates [5]), and how these implementation issues 
affect the design decisions of the ciphers themselves. This work will build on the 
framework set out in this paper. 



References 

1. E. Biham, A Fast New DES Implementation in Software, 4th International Works- 
hop, FSE’97, Israel, January 1997; Proceedings, Lecture Notes in Computer 
Science, Springer, Vol 1267, pp 260-271. 

2. M.Davio, Y.Desmedt, J.Goubert, F.Hoornaert and J.J.Quisquater, Efficient Hard- 
ware and Software Implementations for the DES, Proceedings of CRYPTO ’84, 
Lecture Notes in Computer Science 196, Springer- Verlag, pp 144-146. 




122 



L. May, L. Penna, and A. Clark 



3. Federal Information Processing Standards Publications, FIPS PUB 46-1, Data En- 
cryption Standard, USA. 

4. M.Kwan, Bitslice DES, S-box Implementation, March 1998, 
http://www.darkside.com.aU/bitslice/sboxes.c . 

5. National Institute of Standards and Technology (NIST), Request for Candidate 
Algorithm Nominations for the Advanced Encryption Standard (AES), Federal Re- 
gister, Volume 62, Number 177. 

6. I.Schaumuller-Bichl, Cryptanalysis of the Data Encryption Standard by the Me- 
thod of Eormal Coding, Advances in Cryptology, EUROCRYPT’82 Proceedings, 
Springer, Verlag, 1992, pp 235-255. 

7. T.Shimoyama, S.Amada, S.Moriari, Improved East Software Implementation of 
Block Ciphers, 1st International Conference, ICIC’97, China, November 1997, Pro- 
ceedings: Lecture Notes in Computer Science, Vol 1334, pp 269-273. 

8. E.Young/ifcdes, http://www.SSLeay.org. 




Securing Large E-Commerce Networks 



Panagiotis Sklavos‘, Aggelos Varvitsiotis^ and Despina Polemi^ 

institute of Communication and Computer Systems 
‘Department of Electrical and Computer Engineering 
National Technical University of Athens 
Hroon Politechniou 9 
Zografou, Athens , Greece 157 73 
Tel: 30-1-772 2466 
Fax: 30-1-772-3557 

psklavos@sof tlab . ntua . gr , avarvi t@cc . ece . ntua . gr , 
polemi@softlab.ntua. gr 



Abstract. The Chambers of Commerce (CoCs) have to integrate into the 
emerging Public Key Infrastructure (PKI) which will be a prerequisite for secure 
Electronic Commerce (E-commerce). To fulfil the future requirements of E- 
commerce the CoCs need a secure communication channel between each other 
and the ability to ensure electronic documents of customers to be verified by any 
third party. In this paper we present a new Trusted Third Party (TTP) service 
which allows a large chain of different CoCs, that act as Certification 
Authorities (CAs), to interoperate. 



1 Introduction 

The European Commission under the Fourth Framework Programme in the 
Telematics Applications Programme for Administrators has funded a project entitled 
COSACC (Co-ordination of Security Activities between the Chambers of 
Commerce)!. COSACC which is a two-year project, started on July 1998. It aims to 
identify current and future business scenarios for Chambers of Commerce (CoCs) 
which can be handled electronically, permit the CoCs to act as a vehicle for 
international electronic commerce, and provide a secure link between CoCs in order to 
enable them to take their primary business into an electronic realisation. 

This paper presents results from this ongoing project, in particular a new Trusted 
Third Party (TTP) service called the Trust Transitivity (TT) service, developed by the 
authors, in order to address the need for interoperation between different Certification 
Authorities (CAs). 



' The third author is the Technical Manager of the COSACC project. 



E. Dawson, A. Clark, and C. Boyd (Eds.): ACISP 2000, LNCS 1841, 123-133, 2000. 
© Springer Verlag Berlin Heidelberg 2000 
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Traditionally the CoCs are Trusted Third Parties. Today their main operational 
tasks are: 

• Running the business register (official company registers). 

• Issuing certificates of origin (certifying the origin of products). 

• Issuing carnet ATA (customs guarantees for temporarily exported goods). 

However, the organizational structure of the European CoCs is different from 

country to country. In some countries they are public law organizations (e.g. Greece, 
Netherlands) in other countries they are private law organizations (e.g. Denmark, 
Switzerland) which act on behalf of the state for specific tasks. In Switzerland the 
business register is not run by the CoC. 

For specific purposes, the CoCs are organized on an international level. For 
instance with respect to the carnet ATA they run an international organization 
according to the carnet ATA convention managed by the International Bureau of 
Chambers of Commerce (IBCC). 

E-Commerce [5,6,9] is now a new challenge for the CoCs. On the one hand, the 
traditional business based on paper documents is diminishing and must be supported 
by electronic documents and communication. On the other hand, the replacement of 
paper documents by electronic files offers new opportunities for the CoCs to act as 
Trusted Third Parties [8]. The necessary technical infrastructure [7, 29] and the tools 
to cope with this challenge exist or can be implemented: 

• The digital signature which guarantees authenticity of the sender, integrity of the 
document and non-repudiation of origin. Confidentiality can also be provided 
with the same cryptographic algorithms. 

• A Public Key Infrastructure [33] as a prerequisite for the proper organizational 
functioning and the legal acceptance of the digital signature. 

The commercial purpose of the COSACC project is to enhance of the existing 
services and to adapt them to E-commerce. COSACC deals with 

• the implementation of a secure electronic channel between CoCs over existing 
public networks (e.g. Internet) for the exchange of documents and 

• the electronically sealing of entities (documents, programs, web sites) by a 
specific CoC, in a way that the seal can be verified by any third party using 
World Wide Web (WWW) techniques. 

In this paper the various identified security threats, requirements and security 
services for the secure interconnection of the CoCs, which will act as TTPs, are 
described. In particular, this paper has been organized as follows: Section 2 provides 
an overview of common threats in E-Commerce networks and of the security 
considerations in the CoCs. Section 3 discusses the Core TTP services that provide an 
answer to the security requirements of the CoCs. Section 4 presents the functionality 
and the implementation of the TT service. Finally, Section 5 draws conclusions and 
directions for further research. 
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2 Threats and Security Considerations in the CoCs 

The lack of a technological infrastructure that will ensure secure transactions hinders 
the interoperation between European CoCs and their evolution as core components of 
a pan-European E-Commerce [1] infrastructure. 

Traditional business practice relies mainly on the trust between the involved 
parties. As a result any suggested technological solution for the E-Commerce should 
provide the same or higher level of trust to the (digitally) involved parties. In order to 
provide this level of trust a network of TTPs [11] must be evolved. European CoCs are 
the dominant candidates for undertaking this role [14]. The reasons why European 
CoCs are the dominant TTP candidates for the evolved pan-European E-Commerce 
Information infrastructure include: 

• Enterprises have already developed strong trusted relations with CoCs in each 
country with regards to traditional commerce. As a result CoCs possess a large 
enterprise related information base in each country. A pan-European CoC 
network would facilitate the formulation of the pan-European Electronic 
Commerce Information infrastructure. In addition CoCs are also linked together 
around the world through the International Chamber of Commerce (ICC). 

• The information, which is provided through the Internet for Electronic 
Commerce purposes, must be accurate and reliable [13]. CoCs, and especially 
ICC, must undertake a role contributing to the harmonization and availability of 
global terms and conditions and the provision of global principles of interactive 
advertising ethics. 

• Electronic Commerce greatly involves legal terms and guidelines in case of 
disputes. Trusted and neutral adjudication bodies [15] should deal disputes. 
Having gained enterprise confidence, the CoCs are best candidates for this role. 

• CoCs have been granted authority by their respective governments to act as the 
official national business registers. A secure pan-European link between CoCs 
will provide a secure global business register infrastructure. The expansion of 
Electronic Commerce will be greatly influenced by the level of trust the 
enterprises themselves as well as the consumers will put on this infrastructure. 

• Finally, enterprises are more and more dependent on the automation of their 
transactions and exchanges due to transaction cost reduction. In addition, the 
progress in telecommunications offers great potentials to enterprises, which 
pursue involvement in international trade and marketing. As a result, the 
automation of enterprise-CoCs transactions must be automated, reliable and cost 
beneficial not only on the national level but also on the international one. 
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The CoCs can provide the infrastructure in order to secure the operation of newly 
emerging applications such as E-Commerce [28]. Common threats [3,10,19,32] these 
application face include: 

• Monitoring of communication lines: networks are susceptible to any station 
monitoring all the traffic. Encryption techniques constitute the main response. 

• Traffic analysis: logging source and destination addresses, an individual can 
built up patterns of traffic. Again the classical way of preventing this is with 
encryption. 

• Non-authorised modification of information: injection of new and 

modification of trespassing data can be confronted with message digests. 

• Denial of information received or sent : a sender can ignore the transmission 
of a certain message and a recipient can ignore an unwanted message and deny 
its arrival. Non-repudiation processes face this kind of threat. 

• Masquerade of identity : digital signatures and encryption techniques can face 
this threat. 

• Denial of Service (DoS) and Misuse of resources: legitimate access to a 
network or information system can be denied and system degradation occurs. 

The setup of access control and monitoring of system resources can handle such 
cases. 



• Key Personnel and physical insecurity: ensuring that proper procedures are 
adhered to by all key personnel can help to minimize such threats. 

• Scalability: Large PKIs face scalability problems arising from the management 
of numerous certificates, the interoperation and verification need between 
different CAs. 

These threats can be confronted with success by a security infrastructure 
implemented and maintained by CoCs. A security solution based on the establishment 
of Trusted Third Party services provides an answer to the security considerations of 
CoCs. 



3 Core Trusted Third Party Services (TTPs) 

A TTP has been defined by ISO/IEC [22] as a security authority or its agent trusted by 
users with respect to security-related activities, e.g. to support the use of digital 
signatures and confidentiality services. 

The architectural design that was selected [4,16,34] to implement the required TTP 
infrastructure in the case of COSACC is a non-hierarchical structure (Pig. 1). 
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Fig. 1. COSACC Architectural design 



The advantages of such a structure with respect to COSACC requirements can be 
summarised to the following features : 

• Openness in relation to various user needs and policies in different domains, 

• easier establishment, 

• flexibility on legal requirements, 

• easy transformation to a hierarchical structure (if needed). 

The TTP services that constitute the COSACC Security Solution have been divided 
into two large sections: the Core Services and the Value Added Services. 

Based on the type of information transactions between CoCs, the Core Services that 
must be supported by a TTP targeted to provide a security platform for CoC 
interconnection, include: 

• Registration for the initiation of secure commercial transactions. 

• Digital signatures [18, 25] for the authenticity and the integrity of sensitive 
contractual documents and for increasing the level of trust in the transactions with 
its customers. 

• Encryption [2,17,22,26,30,31] for confidential financial reports, inter-department 
communication and technical information. 

• Key and Certificate management service [21] is required for controlling the keys 
and certificates of the employees, as well as it is required by the company’s 
directors in order to have access to all the documents of the company that they are 
signed and/or encrypted by their employees. 
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• Directory Services [12] that constitute a primary tool for storing and distributing 
certificates, CRLs and other information used in a trust infrastructure, such as 
personal details, functional components etc. The directory service, known also as 
the ‘public key directory’ (PKD) is an important part of key and certificate 
management within the CoC TTPs. 

• Archiving service is also necessary for facing disputes arising between other 
companies or customers. 

• Authorization service for transferring and granting of rights from a high level 
department to a lower level department or employee, enabling her/him to perform a 
specific transaction. 

• Audit for monitoring the behavior of the system in order to assure that it operates 
according to certain predefined conditions. 

Whereas the Core Services provide basic security to the CoC network, the Value 
Added Services aim to enhance the functionality of the TTPs and confront the threats 
that arise with E-Commerce transactions. The Value Added Services consist of: the 
Time Stamping service, the Digital Seal service and the Trust Transitivity (TT) 
service. 

Time Stamping [1] uses the attachment of data and time on a document in order to 
prove that it has been issued on a particular date and time. The aim of the service is to 
prove the transmission the uniqueness of the document. Along with digital signatures, 
time stamps can be used to built a reliable non-repudiation service needed in several 
instances of the CoC operations dealing with payment orders, commercial invoices, 
custom or VAT declarations. 

The Digital Seal service is the measure for authenticity and certification of Web 
pages. A COSACC Digital Seal is provided to all certified members. 

The Trust Transitivity service provides the means for interoperation between 
TTPs and verification of their relationships. The TT service is described in the 
following section as the authors have developed it. 



4 Trust Transitivity Service 

The deployment of a large-scale network of CoCs leads to the establishment of a PKl 
with many TTPs. In such infrastructures, interoperation and transparency are 
important. These needs are addressed by the Trust Transitivity service (TT). 

The TT service is responsible for providing the interoperation between different 
trust domains. A trust domain is formed by all certificates issued by the same root. We 
define trust community as a set of disjoint trust domains. The TT service operates over 
the World Wide Web (WWW). The purpose of the TT service is to form trust 
communities by creating chains of trust. The trust chains are constructed by the cross- 
certification between different trust domains. The Trust Transitivity service provides 
also a mechanism for the verification of the cross-certificate chains. End-users consult 
the service in order to accept formerly untrusted CA certificates in a secure manner. 
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Within the COSACC trust community, the so-called TT Top Level Certification 
Authority (TLCA) handles cross-certification. The TLCA is acting as a mediator in 
every cross-certificate path (Fig.2). 




Fig. 2. Cross-Certification Architecture 



By having the TLCA cross-certify with each COSACC TTP, we create a common 
reference point for all trust chains. This reference point is not only used for the 
construction of the cross-certification chains, but also for the verification of these 
cross-certification chains. In fact, the TLCA is also responsible for the verification of 
every cross-certification chain within COSACC. It handles the revocation of the 
COSACC Certification Authorities through self-maintained Authority Revocation 
Lists (ARLs) and provides the most up-to-date information concerning the end points 
of a cross-certification path (i.e. the CAs). 

The Trust Transitivity service is implemented in the COSACC security solution in 
three distinct phases: Registration, Cross-Certificate Generation and Cross-Certificate 
Path Verification. 

The first phase. Registration, has been implemented through e-mail. Registration is 
mandatory for a TTP in order to cross-certify with TLCA and become a valid member 
of the trust community of COSACC. The Administrator of the CA wishing to register, 
sends an e-mail to the Administrator of the TLCA providing the Distinguished Name 
of the CA, the e-mail address of the Administrator of the repective CA and a 
passphrase used for later authentication. The passphrase can be sent in plain text or 
encrypted. This is because Registration offers the flexibility to the CA Administrators 
to change the original passphrase and thus maintain confidentiality. In case the CA 
does not operate a Directory Server, the CA Administrator must include in his e-mail a 
URL in the CA’s Web Server from where the root self signed certificate of the CA can 
be downloaded at runtime. The selection of self signed certificates for the CAs of the 
CoCs arise from issues such as: strengthening the trust among CoCs, for flexibility 
and time-saving reasons and finally from the requirements of the Verification phase as 
imposed by the PKJ software used [37]. 
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The Registration service also includes a service that allows the CA Administrators 
to change the passphrase. This is achieved by a Web interface running exclusively 
over HTTP-over-SSL [35] which prompts the CA Administrators to change their 
passphrase. In order to validate the change of passphrase, the service first 
authenticates the CA Administrator by using the CA Administrator’s old credentials 
and the DN of the CA and by verifying an existent entry in the TLCA’s database. 

The second phase and most important phase of the Trust Transitivity service, is the 
Cross-Certificate Generation service. It is the part that generates trust relationships 
that lead to the creation of a trust community. Trust relationships are realised by cross- 
certificates. 

A cross-certificate is a data structure that consists of a pair of X.509 certificates 
[20, 23], named \he. forward and the reverse component. The particular property of the 
two certificates bound in a cross-certificate pair is that the Issuer field in the forward 
component is exactly the same as the Subject field in the reverse component and vice 
versa. Both the Issuer and the Subject must therefore be Certification Authorities, 
which certify one another. 

The Cross-Certificate Generation is a service offered only to registered CA 
Administrators through a Web interface running both over plain HTTP [2] and HTTP- 
over-SSL [35]. The service consists of three basic steps: 

1. The first step involves the issuance of a Certificate Signing Request (CSR) [24] 
by the TLCA, after the CA administrator has authenticated by providing the 
appropriate credentials. 

2. The second step involves the signing of the CSR from the CA that wishes to 
cross certify with TLCA. The CSR is signed using the private key of the CA. 
Thus, the forward component of the cross-certificate is created. 

3. The final step involves the generation of the reverse component of the cross- 
certificate by the TLCA. The CA Administrator posts the signed CSR to the 
service and provides authentication credentials before requesting a cross 
certificate. If all checks succeed, the service generates a cross-certificate for the 
CA. 

Cross-Certificate Generation has been built upon the Open Secure Certificate 
ARchitecture (OSCAR) [37] of the Security Unit of the Distributed Systems 
Technology Centre (DSTC) and the Open Source toolkit that implements the Secure 
Sockets Layer (OpenSSL) and is a descendant of the SSLeay implementation of the 
Secure Sockets Layer (SSL) protocol from CryptoSoft. The TT Cross-Certificate 
Generation uses a set of CGI scripts in order to interface with OSCAR and OpenSSL. 
It utilises either the Web or the Directory for the retrieval of the CA’s self-signed root 
certificate. The location of that certificate is known to the service through the 
Registration phase. The retrieval of the certificate is done at runtime. Runtime is 
essential, because if network is not available, the Cross-Certificate Generation does 
not proceed. After having retrieved the CA root certificate, the service uses OSCAR to 
decode the certificate, to verify the CA’s signature in the forward component as 
explained in step 2 above, to create the reverse component and finally to generate the 
cross-certificate. 
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The third phase of the TT service is the Cross-Certificate Path Verification. Cross- 
Certificate Path Verification can be considered as a stand-alone service and it is not 
restricted to the members of a trust community, but rather, it is a publicly available 
service, offered to all members of the Internet community by the Web Server of the 
TT service. Its purpose is to verify that there exists a valid trust chain between two 
CA’s. 

A user who wants to verify the CAs trust relationship (Fig. 3) has to provide to the 
service input service information concerning the location of the root and cross- 
certificates (e.g. DN, URL). The user is assisted to do so by the interface of the 
service, which provides a list of CAs belonging in the same trust community. The 
procedure followed by the service to verify the cross-certification path is totally 
transparent for the end-user. 

The mechanism for validating the trust chain depends on real time verification. The 
PKI tools of OSCAR and OpenSSL have been used to validate a cross-certificate 
chain. The procedure comprises two basic steps: the first step is the verification of the 
chain from a trusted CA up to the TLCA and the second step is the verification of the 
chain from the TLCA to the untrusted CA. 




Both steps are realised by the validation of the signatures in the self-signed 
certificates and cross-certificates of the entities involved. Signature consistency is not 
the only requirement for the verification of the chain. Validity Dates, proper 
Distinguished Names, Critical X.509 Extensions, etc. are also checked. All 
verifications take place after the certificates have been downloaded. The retrieval of 
certificates is done at runtime. The verification service denies to proceed if retrieval of 
certificates at runtime is not possible. 

Revocation is offered for Certification Authorities only. An ART (Authority 
Revocation List) is maintained by the Trust Transitivity TLCA and contains entries for 
revoked Certificate Authorities. The ARL does not need to be published since 
verification is done at runtime. In case a CA certificate is revoked, the verification 
fails warning the user and reporting specific information. 
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If a trust chain is verified successfully, the user is provided with information 
concerning the formerly untrusted Certification Authority. This information is 
extracted using the OpenSSL toolkit and includes the DN name of the CA, the Public 
Key and the fingerprint of the certificate. The service also prompts the user to install 
the newly verified certificate to a local certificate store. After successful verification, 
the certificate of the formerly untrusted CA is cached in a location in the secure part of 
the TLCA Web server and the user downloads the certificate over HTTP-over-SSL. 
Thus, the risk of a spoof attack against the real origin of the CA certificate (i.e. the CA 
itself) is minimized, since both the downloading and verification at real time ensures 
the user for the authenticity and validity of the certificate. 



5 Conclusions-Further Research 

In this paper we presented a new Trusted Third Party (TTP) service, developed in 
order to make different Certification Authorities (CAs) interoperable based on cross- 
certification and real time verification of cross-certificate chains. The verification of 
cross-certificate chains currently supports only Certification Authorities. It needs to be 
enhanced by an on line mechanism like the Online Certificate Status Protocol (OCSP) 
[27] in order to provide information concerning the status of the personal certificates 
of the end-users. Furthermore, the issue of interoperation in more complex hierarchies 
of CAs remains to be addressed. Integration with existing communication tools will 
enhance user friendliness and transparency. Although during the COSACC project the 
certificate policy issues were resolved by a contractual agreement between the 
members of the COSACC consortium, further study on policy issues needs to be 
conducted. 
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Abstract. The participating entities in an electronic payment usually 
include an overseeing bank as well as a customer and a merchant. Many 
electronic payment schemes are designed so that the bank is off-line du- 
ring the actual payment between the customer and the merchant. This 
paper introduces the concept of passive entities which allows the pro- 
tocol designer to allocate the level of processing required by an entity 
during a particular phase of the payment scheme. To illustrate the use 
of passive entities, a new electronic payment scheme is developed which 
has the customer assigned as the passive entity during payment. This 
new protocol is more efficient than similar protocols. A variation of this 
protocol is also described in which the identity of the customer is kept 
anonymous from the merchant. 



1 Introduction 

Most of the secure electronic payments conducted on the Internet today use the 
Secure Socket Layer (SSL) protocol [13] to ensure that messages are exchanged 
with integrity and in a confidential manner. SSL also provides server authenti- 
cation. But the security provided by SSL is often not all that is required in a 
payment transaction. Electronic payment schemes which sit in the application 
layer are required to provide additional services such as non-repudiation, dispute 
resolution, fair exchange and anonymity. 

To provide these services electronic payment schemes are in most part ba- 
sed on forms of physical payment. The particular architecture that a payment 
scheme is based on is called a transaction model. The transaction model defines 
the number of entities required by the payment scheme and how these entities in- 
teract with each other. The transaction model may also limit the characteristics 
and payment services which are available in the payment scheme. 

The majority of electronic payment schemes [2,3,4,5,6,7,8,9,10,14,15,16] etc. 
are based on the traditional credit card transaction model. This model consists 
of a framework of three entities: the customer, the merchant and the bank. These 
parties usually conduct several exchanges to achieve secure electronic payment. 
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In this paper we present the new concept of passive entities which create 
interesting electronic payment systems that are not restricted to the traditional 
credit card transaction models. These new transaction models provide an oppor- 
tunity to shift the burden of computation and storage and improve the efficiency 
of the payment transaction. They also allow flexibility for different application 
scenarios. 



1.1 Related Work 

The amount of work which concentrates specifically on the design of transaction 
models for electronic payment systems is not extensive. Many electronic payment 
schemes are designed in an “ad hoc” manner or using general secure protocol 
design principles such as the ones presented by Abadi and Needham [1]. There 
are several examples of different transaction models being employed by various 
electronic payment schemes. 

The older and more traditional electronic payment schemes are based on a 
funds transfer or credit card transaction models. These transaction models allow 
for a payment request from the merchant to be authorized by the customer. The 
bank on verifying the validity of the authorization directly transfers funds from 
the customer’s account to the merchant’s account. The funds never leave the 
secure banking environment. The Secure Electronic Transaction (SET) [14,15, 
16] protocol and iKP [2] protocols are based on this transaction model. 

A token based transaction model is required for off-line anonymous exchan- 
ges. This transaction model is based on the exchange of physical cash. The token 
allows funds to be anonymously withdrawn by customers, paid to merchants and 
deposited at banks. If a token is lost it usually means that the value is also lost. 
Most electronic cash schemes such as Brands’ Internet cash scheme [3,4] and 
Chaum’s eCash [7,18] scheme are based on this transaction model. 

Foo and Boyd developed a voucher scheme [11] which uses a different tran- 
saction model. They identify that within a transaction model, all entities have 
to agree to commit to a transaction. This achieves the accountability or non- 
repudiation property required by most electronic payment. The commitment is 
usually represented by a bit string of data which is transmitted from entity to 
entity. A model of the commitment data was developed which enabled the de- 
sign of new transaction models. The voucher payment scheme is the result of 
employing an alternate flow of this commitment data. 

Kelsey and Schneier [17] also developed a purchase order payment scheme 
which uses a unique transaction model. The transaction model used in their 
scheme is “buyer driven”, thus it transfers most of the processing load to the 
buyer, allowing the customer to determine the conditions of the sale rather than 
the merchant which is the case for most of the payment schemes described pre- 
viously. 
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1.2 Our Approach 

Original electronic payment schemes can be developed by assigning one or more 
entities in the transaction model as being passive. Meaning that the entity does 
not conduct any cryptographic processing but may be required to transmit and 
receive messages to other entities. There is no limitation as to which parties 
may be passive as either the customer, merchant or bank may be passive during 
the payment phase. We illustrate the usefulness of this new design concept by 
presenting an efficient payment scheme which has a passive customer. 

This new protocol has many uses and can be equated to the real world 
equivalent of a classified index or stock exchange. Our protocol allows customers 
to advertise an order for a particular item or service. In the case of a stock 
exchange the customer would identify a particular company’s shares she would 
like to purchase and at what price the she is willing to buy them. The customer 
could also specify how long she is willing to make this offer available. The first 
step of the protocol requires the customer to register with the bank and then 
create a specially formatted purchase order. After establishing and posting her 
order the customer is not required to do any further on-line processing. The 
customer can publish her order on a web page or FTP site. Merchants, in this 
case stock brokers, are then able to browse these orders at leisure. This situation 
is ideal for merchants to employ software agents to seek suitable customers for 
their products. Once a merchant (or his software agent) decides to fill an order he 
encrypts the electronic goods, in our example the appropriate share certificate, 
and sends it to the bank. The bank then passes the filled offer back to the 
customer. Our protocol has the advantage of allowing the bank to settle disputes. 
We regard the following as the main contributions of the current paper. 

— The identification of a new property, namely passive entities, within the exi- 
sting electronic payment scheme framework. This property can be employed 
to design new payment schemes. 

— A new electronic payment scheme which assigns the customer as a passive 
entity. Thus requiring the customer to do no on-line processing during the 
transaction or during the receipt of electronic goods. 

— A variation of the above payment scheme which allows the customer to be 
totally anonymous from the merchant. 

The following section describes passive entities and how they can be used to 
design electronic payment transaction models. Section 3 presents a new payment 
scheme which uses the customer as its passive entity. We also present a variation 
of the payment scheme which offers the customer anonymity. Section 4 provides a 
comparison with a payment scheme proposed by Kelsey and Schneier [17] which 
is similar to the new protocol. 

2 Passive Entities and Offline Entities 

Before describing the use of passive and off-line entities, we must establish some 
definitions. Electronic payment schemes usually describe a series of messages 
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which conduct a secure exchange. These messages can be divided into stages. 
Each of these stages is specifically designed to achieve certain objectives. At least 
two of the customer, merchant and bank entities within the transaction model 
interact during each phase. In this paper we recognize that most payment sche- 
mes have five phases. These are the registration phase, the withdrawal phase, the 
negotiation phase, the payment phase, the goods delivery phase and the deposit 
phase. Not all of these phases are required in all payment schemes but the phase 
which is mandatory for all schemes is the payment phase. The registration phase 
allows an entity to register with a trusted third party. The withdrawal phase al- 
lows a customer to withdraw electronic funds from the trusted bank entity. The 
payment phase sees the merchant and the customer exchange electronic funds. 
The deposit phase consists of the merchant returning the funds to the bank. 
The negotiation phase is where the merchant and the customer determine the 
required value to be exchanged in the payment phase. The goods delivery phase 
is where the merchant delivers the requested goods or services to the customer. 
The negotiation and goods delivery phases are often left out of payment scheme 
descriptions because no funds are transferred. The negotiation phase is assumed 
to have occurred in some manner prior to the commencement of the protocol 
and the goods delivery phase is assumed to occur in some manner after the com- 
pletion of the protocol. The importance of the negotiation phase is being seen 
in electronic auction schemes [12,19]. 

Within each of the payment scheme phases, each of the entities can be ob- 
served to exhibit a certain state of activity. These states are active, off-line or 
passive. Entities change states from phase to phase. Active entities in one phase 
are often off-line or passive in other protocol phases. 

Active or on-line entities are parties which are actively involved in the pay- 
ment scheme phase. They must create, sign or encrypt messages and transmit 
them to other entities to complete the protocol phase. The first electronic pay- 
ment schemes required that all of the participants be on-line in all phases of the 
protocol. Designers realized that this would not be suitable for a system which 
would need to handle millions of transactions per day. 

To increase the efficiency of anonymous payment, off-line schemes such as 
the “cash protocols” by Brands [3] and Ferguson [10] were designed. These pay- 
ment schemes isolate the bank entity during the payment phase of the protocol. 
No messages are received or sent to the bank during this time. Much of the 
complexity of these schemes can be attributed to ensuring that neither the cu- 
stomer nor the merchant cheat while the bank is off-line. Off-line entities have 
no communication with the other entities. They don’t contribute anything to 
the completion of the transaction during a protocol phase. 

Passive entities are different from off-line entities in that they may transmit 
and send messages but they do not perform any processing during a protocol 
phase. Processing in this situation can be defined as any kind of processor inten- 
sive operation. These would include any cryptographic encryption, decryption, 
one-way hash calculation, signature generation or signature verification. It is ob- 
vious from this definition that off-line entities are a subset of passive entities. 
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This is a useful concept because it allows protocol designers to determine the le- 
vel of processing activity which may be allocated to an entity during a particular 
phase of the payment scheme. 

The payment phase is common to all payment schemes. It can be defined as 
the part of the payment scheme in which the last of the participants agrees to 
the transaction. That party usually provides proof of this agreement in the form 
of a digital signature. With most payment transaction models there are three 
parties involved in the transaction and all must digitally sign a commitment 
to complete a transaction. This means that two of the participants may sign 
the commitment prior to the final participant. Passive entities are usually the 
first or the second participant in the transaction model to sign the commitment. 
One of the advantages of using a passive entity is that there is no set time 
period between the second and third entity signing the commitment. Because 
the passive entity is not required to conduct any cryptographic processing during 
it’s passive phase, an untrusted third party may be used during that phase. The 
commitment may be posted on an untrusted server’s web page or FTP site until 
the third entity signs it. 

In summary, the passive entity has the following properties which define it. 

— The passive entity does not conduct any cryptographic processing during its 
passive stage of the protocol. 

— The passive entity may participate in the protocol by transmitting and recei- 
ving messages. If a passive entity does not communicate with other parties 
during a protocol phase it is an off-line entity. 

~ The passive entity must have given consent to the transaction prior to the 
payment phase of the exchange. 

Most efficient payment schemes have some form of passive entity. Table 1 
shows the state of activity for the customer, merchant and bank entities during 
the payment and negotiation phases of various payment schemes. The negotia- 
tion phase has been included because it is also common to many protocols. 

Currently most electronic payment schemes which contain a passive entity in 
the payment phase have assigned that role to the bank. This is mainly because 
the bank’s trusted server is seen to be the most processor and traffic intensive 
entity of all the payment participants. In Brands [3] Internet cash scheme the 
bank signs the electronic coin before sending it to the customer. During the 
payment phase of the protocol only the customer and the merchant are required 
to sign the coin. The bank is only required again during the deposit when the 
merchant returns the coins to the bank for verification. 

The voucher scheme [11] assigns the passive role to the merchant instead of 
the bank. In the voucher scheme, the merchant and the bank interact to create a 
voucher. During this stage both of these entities are required to sign the voucher. 
This voucher resides on the merchant until an interested customer decides to 
purchase goods or services from the merchant. The customer downloads these 
from the merchant in an embedded form with the voucher. But the merchant is 
not required to take any action. It is passive during the exchange. The customer 
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Table 1. A comparison of the activity state for various payment schemes during the 
negotiation and payment phases. 



Protocol 


Phase 


Bank 


Customer 


Merchant 


Brands Internet Cash [3] 


Negotiation 


Off-line 


Active 


Passive 


Payment 


Off-line 


Active 


Active 


NetBill [8] and SET [14] 


Negotiation 


Off-line 


Active 


Passive 


Payment 


Active 


Active 


Active 


Vouchers [11] 


Negotiation 


Off-line 


Active 


Passive 


Payment 


Active 


Active 


Off-line 


Kelsey and Schneier 
Purchase Orders [17] 


Negotiation 


Active 


Off-line 


Active 


Payment 


Active 


Off-line 


Active 


Proposed Scheme 


Negotiation 


Off-line 


Passive 


Active 


Payment 


Active 


Passive 


Active 



then redeems her voucher with the bank’s help. One of the advantages of the 
voucher scheme is that the merchant is basically passive through the whole 
payment except for the creation of the voucher. 

Kelsey and Schneier’s [17] “buyer-driven” system contains an off-line cu- 
stomer entity. This system was not designed specifically employing the passive 
property of the customer. As a result, the bank is required to be on-line during 
the price negotiation. The customer must also register with the bank for each 
new purchase order she wishes to create. Their system does not incorporate the 
delivery of electronic goods or the conduct of any dispute resolution which our 
scheme does. 

The following purchase order payment scheme assigns the customer as a 
passive entity during the payment phase of the scheme. Like Kelsey and Schneier 
[17], the bank is required to be on-line during the transaction but the customer 
does not need to register for each payment. 

3 The New Purchase Order Payment Scheme 

The following notation is used to denote cryptographic operations. X and Y 
always represent communicating parties. K always represents a cipher key. When 
describing the following protocols, the sequence of messages is exchanged among 
three parties: C, the customer, M, the merchant; and B the bank, acquirer or 
notary entity. 

i. X ^ Y : Message Message has been transmitted by entity X to be recei- 
ved by entity Y. This message is the ith message in the 
protocol. 

Ek (Message) Message, encrypted by using key K. Any suitably secure 

algorithm may be used. It is assumed that any shared ses- 
sion keys or public keys have been distributed securely. 
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Sigx{Message) 



H (Message) 



Message 

MESSAGE 



If key K has the form XY, this indicates that the key is 
known only by X and Y and thus only these entities know 
the contents of Message. 

This indicates that Message has been digitally signed by 
X using public key cryptography. This implies that X’s 
public key is used to ensure that the message was trans- 
mitted by X. It is assumed that the message is transmitted 
with the signature attached. 

A cryptographic checksum of Message, using an algorithm 
such as the Secure Hash Algorithm (SHA) one-way hash 
function. 

Message in lower case indicates a concatenation of several 
data items specified in each individual protocol. 

MESSAGE in upper case indicates a single data item. 
Data items separated by commas are concatenated to- 
gether. 



3.1 The Registration Phase 

The aim of this phase is to allow the bank server to distribute secret keys to both 
the customer and the merchant which they will use later in the protocol. It is 
assumed that the bank and customer have exchanged public keys and the bank 
and the merchant have also exchanged public keys. Thus the bank can verify the 
authenticity of both the customer’s and the merchant’s digital signature. The 
customer and merchant can also verify the authenticity of the bank’s digital 
signature. 



1. C — >■ i? : Sigc{GID,EcB{CustomerAccountDetails)) 

2. B C : SigB{EcB{Kc) , Expiryc) 

3. M ^ B : SigM{MID, Em B{Mer chant Account Details)) 

4. B -)> M : SigBiEMBiKu), Expiry m) 

In message I the customer makes a request to the bank for a key which 
will allow her to create purchase orders. The customer must provide a unique 
customer identification number, CID, as well as her account details. The bank 
saves this information so that he knows which account to debit when merchants 
offer to fill in the customer’s request. By signing the message the customer 
ensures that no one else can request a customer key in their name. Of course the 
customer account details must not be allowed to be sent across an open network 
in the clear. 

The bank returns an encrypted customer key, Kc to the customer in message 
2. The bank includes an expiry date for the customer key in the message to 
indicate the lifetime of the key. As the customer key is the key that the customer 
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uses to create a purchase order, it is essential that it be encrypted so that it is 
only revealed to the customer. This message must be signed by the bank so that 
the customer is assured that the customer key is a legitimate key and not a false 
key from an external party. 

Message 3 is very similar to message 1 except that this time the merchant 
requests a merchant key from the bank. The key will allow him to accept offers 
made by customers. Like message 1 the merchant must include a unique mer- 
chant identification, MID, as well as his encrypted account details. These details 
tell the bank which account it should deduct when the merchant fills an order. 

In message 4, like in message 2, the bank returns an encrypted key. This time 
to the merchant. The merchant key. Km enables the merchant to fill customer 
requests and like the customer key it also has an expiry date. It is best that 
this message is also signed by the bank to ensure the merchant that he has not 
received a false key. 

It should be obvious that the two messages required to register the customer 
and the two messages required to register the merchant need not be exchanged 
directly before a transaction. It is assumed that they are performed well before 
hand. It is also not necessary that the merchant register after the customer. 

Once the customer has successfully received her Kq from the bank she can 
create an order for each of her required purchases. The customer’s purchase order 
will contain a description of the goods which she requires and a description of 
the price she is willing to pay for them and an expiry date indicating how long 
she is willing to wait for an offer. The first step in creating an order requires 
the customer to generate an order key Kq- The main purpose of this key is to 
provide a way for the bank to verify that the customer has been previously been 
approved. This is done in the following manner: 



Ko = H{Kc, CID, OID, Expiryo) 

The order’s key contains Kq which is provided by the bank and only known 
to the customer and the bank. CID is the customer’s unique identity which the 
bank also knows. OID is used to identify this particular order from the customers 
other orders. Both the CID and the OID are used to provide a unique identifier 
for the order which cannot be tampered with. An expiry date is included to 
ensure that the order does not stand for a long period of time without being 
filled. It is assumed that the hash function is such that the value of Kc can 
not be discovered even if multiple values of Kq, CID, OID and Expiryo are 
known. The use of the key Kq is described in later sections. 

One of the advantages of this purchase order scheme is that the customer 
can create as many orders as she wishes using the same value Kc- This means 
that she only has to contact the bank once thus saving both her and the bank 
additional processing and message transfer. It is advisable that the customer 
periodically to renew Kq for security reasons. 
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3.2 The Order Posting Phase 

During this phase the customer posts her order onto her web page or FTP site, 
making it available for all merchants to consider. It is not necessary for the 
merchant to download the purchase order to browse the conditions. It is quite 
feasible that a customer would advertise the purchase order’s conditions on her 
web site and make available a separate link to download the purchase order. 

It is necessary that the customer sign the purchase order even though the 
bank can determine which customer it is from the CID. Signing the order makes 
it hard for external parties to alter the contents of the order and it links the 
order identity and the customer identity to the conditions. 

5. C — >■ M : Sigc{Ko, CID, OID, Expiryo, Conditions) 

The purchase order contains a set of humanly readable Conditions that the 
customer wishes to be filled. These conditions should precisely describe the goods 
which the customer requires and the price which she is willing to pay for them. 
The purchase order also contains the customer identity and the order identity. 
These are required to uniquely identify the customer’s order. The expiry date 
of the order is included to indicate to the merchants how long the customer is 
willing to wait for her order to be filled. 

The merchant can download the purchase order with no obligation to fill it. 
It may be that the merchant does not currently have the goods or may be hoping 
to find a better offer from another customer but will settle for this offer if none 
arises. Because the customer has signed the purchase order she has committed 
to it. The merchant can be assured that the customer will pay for the goods 
provided. 

3.3 The Order Filling Phase 

Once the merchant has decided that he will fill a particular order he must do- 
wnload it and conduct the order filling phase of the protocol. 

Firstly the merchant must create a purchase key, Kp to encrypt the electronic 
goods which fulfill the purchase order. This is done in the following manner: 

Kp = H{Km,Ko,MID) 

Km is the key which the merchant shares with the bank. Kq is required 
to identify the purchase goods with the customer’s purchase request. The mer- 
chant’s identity is included to provide a way to associate the purchase key with 
the merchant. Like the order key created by the customer, it is assumed that the 
hash function used to create Kp is such that Km cannot be determined even if 
multiple values of Kp, Kq and MID are known. 

Q.M^B : SigM{EKp{Goods),MID, 

Sigc{Ko, CID, OID, Expiryo, Conditions)) 

7. B — >■ M : EMB{SigB{SuccessElag)) 

S.B^C : EcB{Kp),SigM{EKp{Goods),MID, 

Sigc{Ko, CID, OID, Expiryo, Conditions)) 
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Now that the merchant has generated Kp h.e must encrypt the requested 
goods with it. In message 6 of the protocol the merchant signs the goods, his 
merchant identity and the customer’s purchase order which he is filling and 
sends it to the bank. When the merchant signs this message he is committing 
the transaction. The customer is assured that the merchant will fill her purchase 
order. 

When the bank receives message 6, it must check if the transaction should 
go ahead. First of all the bank checks that the customer is a valid customer 
by verifying that the key Kq has been correctly generated. The bank generates 
the key using CID, OID and Expiry o from the message and the original key 
Kc associated with the CID. The bank checks that the purchase order has not 
been previously filled. The bank only needs to keep an order’s records until the 
Expiryo date. The bank also verifies that the customer can pay for the goods 
provided by the merchant. If it is in the conditions of the transaction the bank 
can verify that the goods provided by the merchant do fulfill the purchase order. 
See the disputes resolution section for a description of how the bank does this. 

In practice it is unlikely that the bank would be requested to verify the 
goods during the transaction as it would be time consuming and most likely 
unnecessary if most merchants are honest. At this point the bank can also deduct 
funds from both the merchant and the customer for using its facilities. 

The bank now sends a SuccessFlag to the merchant if it approves of the 
transaction. This flag must be signed by the bank so that the merchant knows 
it is a legitimate response. A fake response may fool the merchant into thinking 
he has sold his goods falsely or that he has failed to sell his goods at all. It 
is optional to encrypt this message as it only prevents external parties from 
determining a merchant’s sales figures. 

It is possible for a merchant to receive a SuccessFlag indicating a failed 
transaction. A transaction is most likely to fail because another merchant may 
have previously filled the customer’s purchase order and that the customer has 
not yet had a chance to remove the purchase order from its post. 

As well as sending the SuccessFlag to the merchant in message 7, the bank 
has the duty of passing on the encrypted goods to the customer in message 8. 
This message is the same as the message sent to the bank in message 6 except 
that the release key for the goods Kp is also sent to the customer. This is sent 
encrypted of course! 

3.4 A Variation 

One of the disadvantages of the previously described protocol is that the cu- 
stomer does not remain anonymous from the merchant once she posts her re- 
quests. Another disadvantage is that the merchant may not be able to complete 
a transaction because the customer’s order may have already been filled, thus 
potentially wasting the merchant’s time and processing. 

These problems can be solved if the customer is able to post her purchase 
order at the bank or some other trusted third party. A limited form of anonymity 
is achieved if the bank hides the customer’s identity. As with other electronic 
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payment schemes there is a tradeoff between customer anonymity and efficiency. 
By having a list of customers’ orders displayed at the bank, the merchant is only 
required to access one web page or FTP site. The bank can also keep an accurate 
list of orders, displaying only unfilled orders. This ensures that merchants fill only 
unfilled orders. Unfortunately the customer’s identity is still known to the bank 
or trusted third party. 

In this variation of the payment scheme the customer does not advertise her 
own purchase requests. Instead she sends the purchase request to the bank or 
trusted third party which knows the customer key Kc- It is up to this party to 
generate an anonymous purchase order. But first the bank must check that this 
is a legitimate purchase order by verifying the customer’s signature (and thus 
the customer’s commitment) and that the key Kq has been created correctly. 

5. C — >■ B : Sigc{Ko,CID,OID, Expiryo, Conditions) 

The anonymous purchase order should contain Kq, Expiry q and Condi- 
tions. It is then signed by the bank and posted for merchants to view. The 
bank’s signature is a guarantee that a legitimate customer has committed to 
the request. The bank must keep an index of which Kq matches each CID and 
OID pair. If a merchant decides to fill the purchase order he must download the 
anonymous request. 

5a. B ^ M : SigsiKo, Expiryo, Conditions) 

To complete the transaction the merchant and bank transmit the same mes- 
sages as in the original protocol except that in message 6 of the protocol the 
merchant returns the anonymous purchase order instead of the customer’s. After 
the bank receives message 6 it can reference which customer and order identify 
the merchant has offered to fill. Thus ensuring that the correct customer receives 
the merchant’s goods in message 8 of the protocol. 

To achieve customer anonymity an extra message has been added to the 
protocol. The bank also has to perform an additional signature operation as 
well as keep a track of the true customer and order identities of the anonymous 
purchase orders. At no time during the protocol does the merchant and the 
customer exchange messages. This affords total anonymity as even router records 
cannot be checked. 

3.5 Protocol Security 

The security of this protocol is breached when a transaction is prevented from 
being completed successfully. Threats to electronic payment scheme security can 
either be external or internal. 

External threats are generated from parties who are external from the parties 
involved in the protocol. The contents of the messages and the cryptographic 
tools used to create the messages are specifically used to foil certain external 
threats. Each message is uniquely identified by CID, MID, and OID to pre- 
vent replay attacks. As well as providing non-repudiation, signed messages are 
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used to prevent external parties from masquerading as participants. Signed mes- 
sages and the secret customer key Kc, and merchant key Km help to maintain 
message integrity and prevent man-in-the-middle attacks. Critical data, such as 
the purchase key Kp and SuccessFlag, are encrypted so that external parties 
cannot take advantage of the protocol. 

Internal threats are generated from participants of a secure protocol. It is 
possible that either the customer or the merchant will try to cheat the other 
parties in the transaction. A special dispute resolution protocol is available to 
deal with these situations. 



Dispute Resolution. A dispute occurs if the customer or the merchant is not 
satisfied that the transaction was completed successfully. The bank is assumed to 
be an impartial judge trusted by the customer and merchant such that they will 
abide by all the bank’s decisions. It is unlikely that this protocol will be called 
on frequently as most merchants and customers are assumed to be honest. 

The main aim of the dispute resolution protocol is to ensure that the tran- 
saction is completed successfully. The dispute resolution protocol consists of the 
following message from the customer to the bank: 

EcB{Kp),SigM{EKp{Goods),MID, 

Sigc{Ko, CID, OID, Expiryo, Conditions)) 

The customer returns the message it received in message 8 of the protocol. 
It is now up to the bank to determine who is at fault in the dispute. 

Firstly, the bank re-generates Kp using Kq, MID and Km- The new Kp 
is compared with the one sent with the message. If it is not the same either the 
merchant sent an incorrect key or the customer has returned an incorrect Kp 
in the dispute resolution protocol. In either case the bank will return a correct 
Kp key (encrypted of course) to the customer. 

If Kp is correct the goods sent by the merchant are verified. The bank can 
use the newly created Kp to decrypt the electronic goods and manually verify 
that their contents match the description in the customer’s purchase order. If the 
goods do not match the description appropriate action can be started against the 
merchant who has cheated. Unless the customer is able to fake the merchant’s 
signature, the customer is unable to plant false goods to frame the merchant. 
The bank has enough information to roll back the transaction. 

The merchant or customer cannot deny that they have agreed to the condi- 
tions as they both have signed the purchase order. 



3.6 Comparisons with Kelsey and Schneier 

The original purchase order protocol developed by Kelsey and Schneier [17] was 
not developed using the concept of a passive entity. Instead they sought to design 
a buyer driven payment scheme. We choose the Kelsey and Schneier protocol as 
a benchmark because their “buyer-driven” design framework is the most similar 
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to ours. In fairness, it should be noted that Kelsey and Schneier provide services 
such as anonymity which are not provided by our scheme. 

Kelsey and Schneier’s protocol uses four entities to conduct a transaction: 
A customer, a merchant, an arbiter and a server. The customer registers with 
an arbiter to get permission to post her purchase order. Once the customer has 
the arbiter’s acceptance she can then post her purchase order on a server. A 
customer must get an arbiter’s acceptance for each order she wishes to post. 
Merchants must also get permission to browse purchase order’s from the server. 
The browsing involves the merchant using a special key to authenticate each 
purchase order. The merchant must request each purchase order from the server 
separately even if he wishes to fill it or not. Once a merchant decides to accept an 
order it is bound to him with the assistance of the server. It is up to the merchant 
to now deliver his goods as described in the purchase order’s conditions. 

One of the differences in Kelsey and Schneier is that there is no set method 
to ensure that the merchant delivers his goods. The merchant can simply refuse 
to do so and the customer has no way of knowing that her offer was accepted. 



Table 2. A processing and message transmission comparison of Kelsey and Schneier’s 
scheme with the proposed payment scheme. 





Kelsey and Schneier 
Purchase Orders 


Proposed 

Payment 

Scheme 


On-line Messages Transmitted 


14 + number of Orders 


4 


Off-line Messages Transmitted 


14 + number of Orders 


4 


Total Messages Transmitted 


14 + number of Orders 


8 


Customer Encryptions (On-line) 


4 


1(0) 


Merchant Encryptions (On-line) 


3 


2(1) 


Arbiter/Server/Bank Encryptions (On-line) 


7 -I- number of Orders 


4(2) 


Total Encryptions (On-line) 


14 + number of Orders 


7(3) 


Customer Hash Calculations 


2 


1 


Merchant Hash Calculations 


2 


1 


Arbiter/Server/Bank Hash Calculations 


7 


2 


Total Hash Calculations 


11 


4 


Customer Signatures (On-line) 


4 


2(0) 


Merchant Signatures (On-line) 


3 


2(1) 


Arbiter/Server/Bank Signatures (On-line) 


7 -I- number of Orders 


3(1) 


Total Signatures (On-line) 


14 + number of Orders 


7(2) 



In terms of processing and message transmissions, the current payment proto- 
col is more efficient. In Table 2 we provide a comparison of our payment schemes. 
Several protocol design issues decrease the efficiency of Kelsey and Schneier. All 
messages must be transmitted for the payment to be completed. Whereas in the 
new protocol only four messages need to be sent for a payment to be completed. 
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The remaining four messages in the new protocol only need to be performed 
once or at periodic intervals. Kelsey and Schneier require the bank to be on-line 
while a merchant browses the orders. This greatly increases the traffic generated 
by the bank. 

Because of the smaller number of messages required, less encryptions and 
signature generation is required. Kelsey and Schneier have blanket encryptions 
and signatures for all messages to ensure the security of their scheme. This 
policy further increases the bank’s processing load. Each message containing a 
single customer order that is sent to browsing merchants requires a signature 
and encryption. Overall each participant must use more processing to complete 
a transaction. 

Customer anonymity is the main advantage that Kelsey and Schneier do 
have over our original protocol. A limited level of anonymity can be achieved in 
the new purchase order protocol using a variation of the protocol presented in 
section 3.4. 

One of the disadvantages of designing protocols with specific passive enti- 
ties is that the other participants in the protocol become more loaded. In this 
case, the bank must do the bulk of the processing in terms of encryption and 
signature generation for each transaction. The bank must also store a record of 
all transactions until the expiry date for repudiation reasons. This may not be 
suitable for some payment implementations. 

4 Conclusion 

This paper describes a concept for designing new transaction models for elec- 
tronic payment schemes. Passive entities can be used to develop transaction 
models that result in electronic payment systems which may be more efficient 
and elegant than the traditional credit card model. This paper also presents a 
new payment scheme designed using this concept. The proposed scheme, while 
providing the same security, is more efficient than other similar schemes. 
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Abstract. We propose an efficient, scalable, flexible key recovery so- 
lution for use in commercial environments. Our scheme takes a new 
approach in the design of key recovery systems, called hybrid key es- 
crow. We shall demonstrate the claims by comparing the computation 
and communication requirements for our proposal with the key recovery 
solution implemented by IBM. 
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1 Introduction 

Cryptography protects the confidentiality of information by limiting access to 
the plaintext of encrypted data to those that possess the corresponding decryp- 
tion keys. This in turn requires the deployment of key management techniques 
for the secure administration (generation, distribution, storage, etc) of crypto- 
graphic keys. In particular, mechanisms might be needed to allow extraordinary 
access to the plaintext data by authorised parties in cases where the corre- 
sponding decryption keys are not otherwise available. This usually involves a 
Trusted Third Party (TTP) that has the capability of restoring the appropriate 
decryption keys. This process is generically called key recovery (KR). Two typical 
scenarios where KR may be needed are: 

— when the decryption key has been lost or the user is not present to provide 
the key; 

— where commercial organisations want to monitor their encrypted traffic with- 
out alerting the communicating parties, for example to check that employees 
are not violating the organisation’s policies. 

National governments have also shown interest in the deployment of key reco- 
very techniques, mainly motivated by law enforcement and intelligence concerns 
about the reduction in their capability for wiretapping and forensic analysis 
when strong cryptography is used. 

Key recovery has been the subject of much research during the last few 
years [5]. However it has been mainly driven by clearly defined government re- 
quirements [18], [9], [6] and has led to rather unsatisfactory proposals such as 
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the renowned Clipper Chip in the USA and the GCHQ protocol in the UK 
[21] [4]. Only recently, serious attempts to understand the requirements for key 
recovery in the commercial sector have been undertaken [15], [12] and work on 
the formulation of key recovery standards is still being done [17]. 

Many of the government requirements that have shaped the designs of KR 
schemes, can be relaxed when translated to the commercial arena. This greatly 
simplifies the design of KR schemes that are suitable for commercial environ- 
ments. The main differences between commercial and government requirements 
can be summarised as follows: 

— Scope of the KR scheme - Whereas governments desire an ubiquitous deploy- 
ment of KR that extends multiple domains, applications and communication 
layers in which encryption is used for confidentiality purposes, the business 
scope for KR is much more localised and discriminatory in its applications. 
Thus for instance, many commercial organisations do not require recover- 
ability of encrypted communications. 

— Enforceability - From a law enforcement viewpoint, it is strongly required 
that the users of a cryptographic system cannot circumvent the KR mecha- 
nism (KRM)[9]. This however is not generally the case in commercial envi- 
ronments, specially when the primary motivation for KR is just the back-up 
of keys for self-recovery. Even when KR is deployed to satisfy a requirement 
for the monitoring of encrypted communications in a corporate organisation, 
the enforceability of the KR mechanism can be based on the physical control 
that the organisation has on the computing equipment and on the applica- 
tions that can be run on them, as well as on random checks to verify that 
the encrypted information is recoverable as per security policy. Clearly, such 
means of enforceability become impractical in a global KR infrastructure. 

In this paper we first give an overview of existing KR techniques, and point 
out some of their advantages and disadvantages. We discuss the business requi- 
rements for KR, as well as the suitability of existing KR techniques. We realise 
that the main shortcoming of the existing proposals in order to meet such requi- 
rements, is their poor efficiency, and subsequently propose a new scheme that 
significantly reduces the computational and bandwidth overhead when compa- 
red with existing schemes. This is exemplified by a comparison between our 
new proposal and the prominent scheme of Gennaro et al. [8], which has been 
integrated into the IBM’s Key Works product line [19]. 

2 Key Recovery Techniques 

In this paper we use the following terminology: 

Cryptographic End Systems (CES). These provide the functionality that 
allows cryptographic operations. CES are implemented as a product in soft- 
ware and/or hardware. KR is only concerned with those CES that implement 
confidentiality services. 




Key Recovery System for the Commercial Environment 151 



End Users (EU). Entities that employ CES for secure data communications 
and storage. End users may or may not be part of a public key infrastructure 
(PKI), i.e. be in possession of valid public key certificates. Throughout this 
paper, we use the term “user” to refer to either CES or EU. 

Key Recovery Agents (KRA). Trusted third parties that perform KR in 
response to an authorised request. 

Key Recovery Requesters (KRR). Authorised entities that request KR 
from the KRA. The KRR could be for instance a user that needs extra- 
ordinary access to her own data, an auditor, etc. It can also refer to a third 
party that acts as a proxy between them and the KRA. 

Key Recovery Information (KRI). Aggregate of data that is needed by the 
KRA in order to complete a KR request, eg. a session key encrypted under 
the KRA’s public key. 

For simplicity, in what follows we describe KRMs in a communications scena- 
rio between two users that participate in a KR infrastructure. Notice that storage 
applications can be considered as a special case of communication in which both 
the sender and the receiver are the same entity. 

KR techniques are commonly categorised into two types: key escrow and key 
encapsulation [17]. 

Key escrow encompasses those KRMs in which KRAs directly store keys, or 
information related to the keys of the users of the system. Thus, provided 
that users employ such keys for direct bulk data or session key encryption, the 
KRAs are automatically given access to the plaintext of communications. In 
order for the KRM to work, users are restricted on the usage of the escrowed 
keys to those key establishment mechanisms that allow KRA access to the 
session key. This not only reduces the cryptographic flexibility of the system, 
but also is the main hurdle for those applications of key recovery that try to 
enforce the KRM by purely cryptographic means[13j. Controlling the usage 
of keys is made even more difficult by the fact that there are legal issues 
that disallow the escrowing of keys used for non-repudiation. Key escrow 
techniques include [11,23]. 

Key encapsulation is also known as virtual addressing [14]. KR is achieved 
by encrypting the established session keys for each KRA that requires ac- 
cess to them. These encrypted (encapsulated) keys are sent together with 
the encrypted messages. An advantage of key encapsulation mechanisms is 
that they do not require users to register with the KR infrastructure. As 
well, no restriction on the key management techniques used to directly sup- 
port the confidentiality service is imposed on them. However, a significant 
computational and communication overhead is introduced. Examples of key 
encapsulation techniques can be found in [8,22]. As with key escrow techni- 
ques, enforcing KR by cryptographic means only, appears to be extremely 
difficult. In [22] an ElGamal based key encapsulation scheme is proposed, in 
which the sender provides a publicly verifiable proof that the same session 
key has been encrypted for the receiver and the corresponding KRAs. Ho- 
wever, attacks have been described in [20]. Furthermore, the type of attack 
described in [20] seems to affect all KR techniques. 
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3 Requirements for a Commercial KR System 

The primary goal of our research is to design a product that satisfies the business 
needs for key recovery. For this purpose, the first step towards an appropriate 
key recovery scheme is to clearly understand the business requirements. In this 
paper, we concentrate only on those requirements which influence the design 
of the key recovery protocols. This approach allows us to concentrate on the 
mechanism for key recovery during the system design and isolates the myriad of 
policy issues that the mechanism could be subjected to. 

In what follows we discuss the main requirements that we incorporate in our 
design. 

Flexibility: 

R 1: The key recovery mechanism must support data communications and stor- 
age applications. Although as already mentioned, the main use of KR in corpo- 
rate organisations is intended to be storage applications, we pursue the design 
of a KRM that can also be efficiently deployed for data communications. 

R 2: The key recovery mechanism shall he independent of the cryptographic al- 
gorithm used for confidentiality. The rationale for this requirement is twofold. 
Firstly, it is considered to be a good security practice to design cryptographic 
protocols independent of the underlying algorithms. Secondly, two communica- 
ting entities employing a common protocol but different sets of cryptographic 
algorithms can agree upon a common set of algorithms to carry out the proto- 
col. This will greatly increase the inter-operability between domains with varying 
policies. 

R 3: The key recovery mechanism shall he independent of the key management 
and distribution mechanisms that support the confidentiality service. Require- 
ment R 3 has a similar effect as R 2, except that now inter-operability between 
different protocol logics is the focus. 

Enforceability: 

R 4: Key recovery mechanism shall prohibit single rogue users from subverting 
the KRM. By incorporating this requirement we aim at complying with the enfor- 
ceability requirement defined in [17] for a Level-2 (high security) KR product. 
This requirement can be satisfied if a mechanism is provided that allows the 
receiving end of a communication association to check whether KR by the ap- 
propriate KRAs is enabled. Notice that this level of enforceability is significantly 
lower than the one that has been traditionally required for law enforcement KR, 
and easier to implement. Requirement R 4 does not preclude two cooperating 
rogue users circumventing the KR mechanism while at the same time communi- 
cating securely. 

Efficiency: 

R 5:The computational, communicational and infra- structural overhead incur- 
red by the addition of a key recovery scheme shall be kept to a minimum. This 
requirement emphasises the importance of efficiency, when employing current 
computing and communication technology, in the design of key recovery systems, 
specially if intended for real-time communications. 
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Unobtrusiveness: 

R 6:Key recovery mechanisms should affect confidentiality services and should 
not affect other services. Requirement R 6 defines the precise role of a key 
recovery system in a domain. It must have the capability to revoke confidentiality 
and must not alter the security guarantees of other cryptographic services like 
authentication . 

R 7:The key recovery mechanism shall not reduce the effective strength of the 
encryption. In order to satisfy this requirement, the key recovery system must 
not leak any useful session key information, except obviously to the appropriate 
KRAs. 

Fine Granularity: 

R 8: The number of session keys that can be recovered from a single instance of 
KRI shall be small enough so as to ensure fine granularity of authorised intercep- 
tion periods. In order to satisfy this requirement, KR that have been authorised 
for a specified encrypted data or time period should not compromise data outside 
the scope of the authorisation. 

Scope: 

R 9: The key recovery mechanism shall be scalable so as to accommodate big 
multinational corporate organisations, and multiple policy domains. 

Dispersion: 

R 10: The key recovery mechanism shall allow the distribution of the KRA fun- 
ction among multiple entities so as to require their joint cooperation in order to 
perform key recovery. 

4 KR Mechanism Design 

Once the requirements for our design have been established, we need to eva- 
luate the suitability of existing KRMs. Those KRMs based on the key escrow 
technique, as defined in Section 2, clearly violate the cryptographic flexibility 
requirement that derives from R 2 and R 3, since, as we explained in Section 2, 
key escrow schemes limit the choice of key establishment protocols that can be 
used. 

KRMs based on the key encapsulation technique, on the other hand, seem 
more appropriate in order to satisfy our design requirements. As already men- 
tioned, the major drawback of these KRMs is the computational and bandwidth 
overhead that they introduced. As an example, a proposal for using key encapsu- 
lation mechanisms with IPSec [12] introduces a 30% to 50% bandwidth overhead 

[ 7 ]. . , , . 

Since efficiency is the main obstacle found in key encapsulation schemes to- 
wards the satisfaction of our design requirements, we investigated ways of mini- 
mising the overhead that such schemes carry with themselves. Our strategy for a 
new KRM is to combine both key escrow and encapsulation techniques in order 
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to achieve a computational and communicational efficiency greater than key en- 
capsulation only schemes, while at the same time satisfying all the requirements 
in Section 3. 

The key encapsulation part of our approach is similar to the one taken by 
Gennaro et al. [8], which has been integrated into IBM’s Key Works product 
line [10], and which is one of the most efficient key encapsulation mechanisms. 
However by using a key escrow procedure, we have been able to significantly 
reduce both the computational load and the communications overhead. 

4.1 The New Key Recovery System 

In this section we describe in detail our new proposal for a KR scheme, follo- 
wed, in the next section, by a comparison between the new scheme and the one 
proposed in [8]. 



Overview. The protocol has three phases, as follows: 

1. Registration Phase: Initially users register with one or more KRAs in 
their domain. During this phase each user establishes a Diffie-Hellman (DH) 
shared secret with each KRA. 

2. Communication Phase: This phase corresponds to the communication of 
encrypted data and to the generation, delivery, and (optionally) validation 
of the KR fields that enable recovery of the session keys used in encrypting 
the data. This phase is further subdivided in two: 

a) Initial Set-up: This phase is performed by the two communicating par- 
ties the first time they establish a communication association. At this 
stage the users establish new DH shared secrets from the values already 
shared with their respective KRAs. This new values can be recompu- 
ted collectively by the KRAs in each domain. This phase can be made a 
one-off process if the established values are cached for reuse in successive 
sessions; and, 

b) Encrypted session: After the initial set-up, a new key encrypting (KEK) 
can be generated as a one-way function of the shared secrets established 
in the previous phase and a random session identifier. The KEK is used 
to encrypt the session key employed for bulk encryption, which is then 
appended to the encrypted bulk data. 

3. Key Recovery Phase: The KRAs associated to each communicating party 
in each domain can restore the KEK on a per session basis when presented 
with the appropriate authorised request and KR fields. The release of one 
or more KEKs does not compromise any other keys used by the users. 
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KR Protocol Descriptions 

System Set-up: The authorities of the system choose a large prime p of the 
form p = 2q 1, such that q is a sufficiently large prime. The KR protocols use 
operations in the multiplicative group Z*, with g an element of order q. 

For brevity, we restrict our description to a basic scenario in which two 
users A and B, pertaining to two different domains, establish a communications 
association. Each user has two associated KRAs: Ai and A 2 for user A and, Bi 
and i ?2 for user B. Each KRA, Ai and Bi, chooses a master key MK a, and 
MK Bi respectively. It is important to emphasise that this is just one possible 
operational scenario, chosen so as to facilitate the description and analysis of 
KR mechanism. The key recovery system is flexible enough to adapt to a wide 
variety of practical applications. Thus, for example, this basic scenario can easily 
be extrapolated to any number of KRAs. Furthermore the number of KRAs for 
each user does not need to be the same. 

Registration with KRAs phase: Initially users register with the KRAs within 
their KR domain. The extension of the KR domain depends on the applicable 
enterprise policies. For example it may be a branch of a corporate organisation. 
These policies may mandate that cryptographic end systems be registered. This 
way, unregistered end users can be permitted the use of CESs and still allow 
KR. 

The goal of this phase is to establish a Diffie-Hellman shared secret between 
the user and her KRAs. Table 1 shows the protocol message exchange for the 
registration of A. User A generates a random DH key pair (xa,Va = 9^^) and 
sends pA to each KRA, Ai. Then, Ai generates a new value: 

ai = ni{g^^,MKA,) ( 1 ) 

where "Hi is a keyed hash function that is partial pre-image resistant and strong 
computation resistant [16, pp. 325], and with the additional property [3] that 
{ai,p— 1) = 1. The DH secret is computed as: 

(2) 

This minimises the risk of compromise of MK a, from a user. Note that, in order 
to obtain MK a^ an attacker has to firstly attack to find a*, and then attack 
the hash function. Each Ai then returns the public KR keys 7 ^, = , certified 

by Ai, and the corresponding g^\ Before accepting the certificates, A calculates 
aAi = {g°’'Y^ and checks the received 7 ^. values. 

As we explain in Section 4.2, depending on the application, this phase can 
be adapted to be non-interactive. Another possible variation would merge the 
registration of the user with her Certification Authority (CA) and with the 
KRAs into a single process, at the end of which the user would obtain a single 
certificate for her authentication public key, and KR’s public keys, thus saving 
bandwidth resources. Notice however that only the KR key pair is escrowed with 
the KRAs. 
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Table 1. KR Registration Phase 



User A KRA Ai 

Choose (xA Gr Z* I {xA,p- 1) = 1) 

VA „ 

VA = 5"^ ^ 

ai = HiiyA, MKAi) 

»Ai = Va and 7^^ = 5“'^* 

7^. ,cert^^ ,9“* 

< certAi = Certify{yA,-iAi) 

lAi = 3“'^* 

^ 1 

ACK,NACK 

Check{-fAi, certAi) >■ Publish{'yAi,certAi) 



Communication Phase: In this phase users A and B establish an encrypted 
communications association. Each user holds valid KR certificates of each other 
with their corresponding public KR keys. 



Initial set-up: 

User A calculates the following: 

( 3 ) 

U2 = 7 b 2 " ( 4 ) 

The values Ui and U 2 can be stored for reuse in all subsequent communications 
between the two users or recalculated at any convenient frequency. Later on, the 
first time that user B receives an encrypted message from A, user B needs to 
compute the same values as: 



( 5 ) 

(6) 



Importantly, this set-up phase requires only two exponentiations. In the ge- 
neral case (see Section 4.2), the number of exponentiations is equal to the maxi- 
mum number of KRAs of the users. This compares very favourably with similar 
schemes such as in [8] , making the KR quite efficient even in the cases where the 
t6- values are not cached. 



Encrypted session: 

We assume that the session key Ks which is used for confidentiality is already 
established and known to both A and B using some external mechanism. The 
goal of this phase is to prepare the KR fields that will allow the corresponding 
KRAs access to Ks- These KR fields will also be validated by the receiver B, if 
mandated by the KR policy. A does as follows: 
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1. Generate random session identifier IDg] 

2. compute KEKi = IDs) and KEK 2 — 'H. 2 {u 2 ,IDs), where H 2 is a 

one-way hash function that is pre-image resistant and strong computation 
resistant; 

3. calculate key encrypting key, KEK = KEK\ © KEK 2 ; 

4. encrypt session key using a symmetric cipher, ESK = symmEnc{K s , KEK)] 

5. send {ESK , ID s, cert cert a^, cert cert b^} together with encrypted 
bulk data to B. 

When B receives the messages he can validate the KR fields. This could be done 
for two purposes: to verify that the session key can be recovered by B's KRAs, 
and, optionally to verify that KR is also possible by A’s KRAs. For the second 
case B will have to ensure that A’s KR public keys are authentic, by verifying 
certAi and certA^- The validation process is then done as follows: 

1. Calculate Ui and U 2 corresponding to the KR public keys identified in certAi 
and certA-ii as explained in the previous phase, if not known from previous 
sessions; 

2. compute KEK\ — 'H 2 {ui, ID s) and KEK 2 = 'H 2 {u 2 , IDs)] 

3. calculate key encrypting key, KEK = KEK\ © KEK 2 - 

4. The validation is successful if the received ESK = symmEnc{Ks, KEK). 

In the case where validation fails a KR policy being enforced by a CES may 
prohibit decryption of the received data using Ks- Alternatively, the KR policy 
may allow decryption as long as the receiver generates the KR field himself, 
and makes them appropriately available. Notice however that most commercial 
applications will not require a validation function at all. 

Key Recovery: During this phase, a key recovery requester (KRR) with the 
appropriate authorisation in a domain interacts with the KRAs identified in an 
“intercepted” message in order to recover the session key used in such message. 

Figure 2 depicts the interactions between the KRR and the KRAs in A’s 
domain. KR in B's domain is done in the same way. Note that, for simplicity, 
we assume the existence of authenticated channels between the KRR and the 
KRAs. For each KRA A^, associated with A, the KRR does as follows: 

1. sends the “intercepted” values; [ESK, ID s^ cert a^ cert b^} together with 
other information such as authorisation for key recovery. 

2. computes corresponding u- value by doing: 

a, = %2{g^^,MKA^ (7) 

«© = (5"")“^ ( 8 ) 

u^ = y7:■, (9) 

3. recomputes the key encrypting key, KEKi = f{ui, ID s)] and 

4. sends KEKi to KRR. 
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Once the KRR obtains both KEKi values he proceeds as follows: 

1. computes the key encrypting key, KEK = KEK\ © KEK 2 ; and, 

2. recovers the session key by decrypting the “intercepted” ESK, Ks = 
symmD ec ( ESK ) . 

Table 2. KR phase in T’s domain 
KRR KRA Ai 

ID g , cert , cert ^ 

>■ ai =Hi{yA,MKAi) 

OiAi = y°A 

“A,- 

— Dbi 

KEKi 

KEK = KEKi © KEK 2 < KEKi = U2{ui, IDs) 

Ks = symmDec{ESK) 



4.2 Variations 

One of the main objectives in designing our KR system was to provide a scheme 
flexible enough to adapt to a wide range of operational scenarios. In this section, 
we explore some of the multiple variations and enhancements that allow the key 
recovery mechanism to efficiently perform in most practical environments. 

Unequal Number of KRAs: In the general case where A has KRAs Ai, • • • , Am] 
and B has KRAs i?i, • • • , R„, with m > n & possible method to compute the 
u-values is as follows: 

Ml = DH{aAi,aBi) 

U2 = DH{aA^,aB^) 

Un = DH{aA„,aB„) 

Un+I = -Di7(aA„+i,asi) 

Un +2 = DH{oiA„+2’(^B2) 

’^m — BEfi^CXAm: ClBfn — n^ 

independently of whether A is the sender or the receiver, and where DH{a, b) = 

gab 

Non-interactive registration of users: Many applications will not require that 
users be in possession of KR certificates. In particular, this may be the case if no 
validation of KR fields is needed or if, in a communications scenario, the receiver 
only validates that KR is possible in his domain. For this situation, users need 
not register with the KRAs interactively. The registration phase described above 
can be adapted to this scenario as follows. 
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Each KRA in the user’s domain, say A’s, has a DH key pair, xa^ , VAi = ■ 

In order to increase the security of the KR system each KRA would actually have 
many such pairs. User A can establish new aAi values with the KRAs in a non- 
interactive fashion by doing the following: 

1. Obtain authentic DH public keys for the KRAs, yAi- 

2. Choose random xa G Z* and compute yA = 

3. Calculate DH shared secret key, = y^ . 

4 . Compute public KR values of A, 7 ^. = 

A would use the 7 ^^ values for the creation of KR fields, and append these 
values together with yA to the encrypted data. If the KRAs have multiple DH 
key pairs, the user would also need to include identifiers of the keys used in 
computing ua^ - In a communications scenario where A is the receiver, A would 
also have to authenticate 7 ^. as hers to the sender. 

5 Efficiency: A Comparative Study 

In this section we shall present a comparison between our scheme and the pro- 
posal by Gennaro et al. [8] . As already mentioned the scheme in [8] utilises a key 
encapsulation mechanism, in which users do not escrow any long term keying 
information with the KRAs. As before, let xa and be the private keys of two 
communicating parties A and B. Each user belongs to a different domain. Let 
Oi and 02 be the private keys of the KRAs in A's domain, and similarly bi and 
62 the private keys of the KRAs in B's domain. As in our scheme, the generation 
of KR information is broken into two phases. During the first phase A and B 
establish shared secrets with each KRA’s. For each pair of users A and B, the 
shared secrets are computed as follows: 

1. UAB = DH{xa,xb) 

2 . UABi = DH{uAB,ai) 

3. UAB2 = DH{uAB,a2) 

4 . ubai = DH{uAB,bi) 

5 . UbA 2 = DH{uAB,b2) 

A pictorial representation of how the above values are derived is shown in Fi- 
gure 1. The circles represent the Diffie-Hellman operation, while the squares 
represent the different participating entities. Notice that the arrows have been 
drawn dotted to indicate the new values that must be computed for every pair 
of users. In terms of computational overhead, Gennaro et al. scheme requires 
five modular exponentiations (one for each Diffie-Hellman operation), which are 
by far the most computationally expensive operations in the protocol. Although 
these values can be cached for reuse, we have to notice that in many applications 
it is not practically possible to securely store such amount of information for each 
party that a user communicates with. For example, this would be the case in 
applications that rely on smart cards for secure storage of sensitive information. 
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Fig. 1. Gennaro et al. key encapsulation scheme 
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Fig. 2. New hybrid KR scheme 



The pictorial representation of our scheme is as shown in Figure 2. By al- 
lowing the users to register with their respective KRAs, we reduce the number 
of Diffie-Hellman operations that need to be computed for each pair of users. 
Now the a-values remain constant (solid arrows) and only u\ and U 2 have to be 
computed. 



Table 3. Initial Set-up Phase 





Our proposal 


Gennaro et al. [8] 


Exponentiations 


max{nA,nB) 


UA+riB + 1 


Symmetric Operations 


None 


2{ua + Ub) 


Hash computations 


None 


riA + Ub 



For a general scenario in which A has ua KRAs, and B is associated to 
ub KRAs Table 3 and Table 4 compare the computational load in both KR 
schemes. In the tables, max is a function that returns the maximum value of the 
two inputs. Typically ba and ns are the same value, in which case the savings in 
exponentiations is more than 50%. This clearly represents a significant reduction 
on the computational overhead. 
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Table 4. Encrypted Session Phase 





Our proposal 


Gennaro et al. [8] 


Symmetric Operations 


1 


2{ua + ns) 


Hash computations 


max{nA,nB) 


None 



With respect to bandwidth we notice, that in our scheme the random seeds 
that generate the KEKs are calculated directly by the KRAs, and therefore 
there is no need to send them in every message, as it is the case in Gennaro et 
al. [8] scheme. Also, in a typical scenario where ua and ub are approximately 
the same value, the number of rt-values is reduced by more than 50%. Hence, 
the amount of information that has to be securely cached is also reduced by the 
same ratio. Finally, in the scheme proposed by Gennaro et al., the session key is 
encapsulated in separate key recovery fields, encrypted under different KEKs for 
each domain. Whereas, in our proposal the session key is encapsulated in only 
one field, which can be accessed by KRA’s in both the domains. 

6 Conclusion 

We presented an efficient, scalable, certification based key recovery system that 
is a hybrid of key escrow and key encapsulation techniques. The proposed key 
recovery system is highly flexible and can be employed in a variety of policy 
environments. It possess all the properties required for commercial key recovery 
systems. 

Additionally, we presented a comparison of our proposal with IBM’s key 
recovery solution and demonstrated that our scheme is more efficient in terms 
of computation, storage and bandwidth. Thereby, we strongly believe that our 
scheme is more suitable for low memory, reduced power, distributed systems, 
such as smart card and mobile instrument based systems, than that of IBM’s 
solution. Due to the resulting increase in efficiency, our system will be more suited 
to network layer (layer 2 and 3 in the OSI model) key recovery applications such 
as IPSec [1,2]. 
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Abstract. This paper studies several of the properties necessary for 
public key based escrow schemes, and observes that previous schemes 
lack some important properties. Focusing on the type of communication 
typified by e-mail, we construct a novel and simple scheme that provi- 
des “warrant bounds” , “admissibility” , “surveillance switching” , “non- 
directive monitoring” , “off-line agency” , “target hiding” and many other 
useful properties all at the same time. 



1 Introduction 

1.1 Background 

With the advance of our computerized society, information security raises many 
varied demands, some of which can never be fully satisfied simultaneously. Strong 
ciphers, which protect privacy during communication by rendering tapping use- 
less, have been pursued by many researchers. However, there is strong demand 
for monitoring communication to combat crime. A common and practical solu- 
tion for this problem is to use a trusted third party. In a key escrow scheme, users 
have to deposit their private keys with the escrow agency (EA in short), which 
is assumed to disclose the keys to the law enforcement party (LEP in short) only 
if lawfully requested. 

One direction of research on key escrow systems is to add useful functiona- 
lities. An escrow with warrant bounds [6] is a mechanism that limits the period 
in which the LEP can monitor. Fraud detectability [13], or compliance certifica- 
tion [5] equivalently, assures the LEP that he and a receiver have the same result 
of decryption. There are also demands for higher efficiency. The LEP wants the 
EA to be off-line so that they can monitor without the help of the EAs during 
authorized terms. It may not be acceptable to users to exchange initial messages 
in one-way communication like e-mail. Several other demands from each of the 
participants can be listed. 

Most of the previous work only concerns some of the important properties 
listed in this paper. No previous implementation satisfies all of the useful pro- 
perties at the same time. For instance, the scheme in [8] realizes warrant bounds 
and off-line agency but does not provide non-interactive property (users have to 
exchange data each other). The scheme in [14] has most of the properties desired 
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while preserving inter-operability with the existing public key infrastructure. Ho- 
wever, it fails to provide off-line agency, which would be strongly demanded by 
the LEP. As one more example, the scheme in [13] implements fraud- detectability 
but it does not support warrant bounds at all. 

1.2 Our Contribution 

We first study several properties including the novel notion of admissibility, 
which has been more or less ignored so far despite its importance. We also intro- 
duce a novel type of warrant bounds called threshold warrant bounds and develop 
a tool which we call non-interactive key renewal to realize the warrant bounds. 
Then, we construct a key escrow scheme that best suits one type of one-way 
communication, i.e. e-mail, where most of the properties discussed in section 3 
are needed. To be more specific, our scheme provides warrant bounds, admissi- 
bility, fraud detectability, sender authentication, shared escrow agency, surveil- 
lance switching, non-directive monitoring, off-line agency, non-interactiveness, 
and target hiding, all at the same time, without affecting any of them. 

1.3 Organization 

Section 2 defines participants and describes our model of the key escrow system. 
Section 3 discusses the properties and requirements raised in the literature. We 
then construct a new key escrow scheme in Section 4. The security and efficiency 
are analyzed in Section 5 and 6. The extensions needed to support shared escrow 
agencies and the target hiding property are shown in Section 7. A conclusion 
and some remaining problems are stated in the last section. 

2 Model 

We assume the following three participants, all of whose computational power 
is polynomially bounded. 

User : An entity who communicates via public channels wherein lawful mo- 
nitoring is approved. Each session has a sender and a receiver. The two com- 
municating users are assumed not to possess any common secret information 
beforehand, and also not to communicate via physically private channels. Users 
may attempt to avoid law enforcement monitoring without leaving any evidence 
if possible. 

Key Escrow Agency (EA): an entity that stores users’ private keys. The EA 
is assumed to never leak any useful information from which the private key of 
any user could be determined unless a legitimate warrant is shown. We stress 
that the agency is trusted only in this manner (see discussion on admissibility in 
Section 3) . We will cover the use of shared agencies which cooperatively maintain 
the private keys of users so that at least a quorum of agencies must commit 
dishonest behaviour to leak information about the private key. Some of the 
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previous works, e.g., [7], consider a hierarchical agency structure where each 
agency handles a different group of users, but we do not assume such participants 
in this paper. 

Law Enforcement Party (LEP): An organization that conducts lawful mo- 
nitoring in accordance with a legitimate warrant. The LEP may deviate from 
the protocols in an arbitrary way. Although issuing warrants is out of our scope, 
we assume that warrants are unforgeable. 

Lawful Authority (LA): A party which, after it approves the law enforcement 
action, issues a warrant if requested. This party is trusted in such a way that it 
never issues a warrant in conspiracy with a faulty LEP. 

Certificate Authority (CA): A party which authorizes the ownership of a 
public key. This party is a part of the public key infrastructure that maintains 
and distributes the public keys. This party is trusted in such a way that it 
never issues a certificate to a fictitious user or a user who does not know the 
corresponding private key. 

Our scenario consists of four individual protocols. First, a user obtains an 
authorized public key and a corresponding private key. He then registers the key 
pair to the EA via the key registration protocol. When the LEP deems monitoring 
necessary, it first obtains a warrant from the LA. The LEP then executes the 
disclosure protocol with the EA to get sufficient information (possibly a decryp- 
tion key) with regard to the target user(s). In the communication protocol, a 
sender encrypts a message and sends it to a receiver who can correctly retrieve 
the message. While the target user is communicating, the law enforcement party 
invokes the monitoring protocol to obtain the decrypted message. 

We assume that communication is performed over a synchronous network. 
Accordingly, it is assumed that messages are delivered after a delay that is small 
compared to the term to be explained shortly. For instance, a message that 
arrives after certain period of time is to be discarded by the receiver. 

3 Desirable Properties 

This section lists several requirements or preferable properties and analyzes some 
of the previous works with regard to those properties. 

Warrant Bounds : It should be possible to limit lawful activities against the 
same user within some terms. Otherwise, once a private key is given to the LEP, 
they can keep monitoring during the lifetime of the private key. This could last 
up to a few years. Thus, when warrants specify the term of approved monitoring, 
we need a mechanism that prevents the LEP from performing undue monitoring 
beyond that term. Some approaches can be seen in [8,2]. 

Admissibility : Suppose that a faulty message that does not meet expected 
redundancy is observed during lawful monitoring. Admissibility assures that 
the redundancy violation has been caused by the sender of the message. This 
property can be also described as verifiability for the outputs of the LEP and the 
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EA, and undeniability of the message sender. Namely, to admit the redundancy 
violation as evidence of faulty behaviour of the sender, one has to assure that the 
message is sent from the sender, the decryption key is correct, and the decryption 
procedure is correct. However, the correctness of the decryption key may not be 
easily assured when some advanced properties are incorporated. 

It should be stressed that any entity can cause Byzantine faults because of 
hardware or human errors, although it may happen only rarely. In particular, 
systems that deal with highly sensitive matters like key escrow must be designed 
so that every output is verifiable. One must be aware of the substantial difference 
between trusting one entity with regard to the confidentiality of stored data and 
trusting him on the accuracy of his computation. Thus, one can conclude that 
the EA is trusted too much in some schemes where the outputs are not verifiable. 
This property is often not considered despite its importance. 

Fraud detectability : Attempts at disabling lawful monitoring by letting the 
LEP recover bogus session keys must be detected, or they should result in unsuc- 
cessful communication with an honest receiver. This will be a deterrent to passive 
deviation by dishonest senders. Such a notion was introduced in [5] and imple- 
mented in [13]. We say that private fraud detectability is achieved if such fraud is 
detectable only by entities who have the correct private keys. As an alternative, 
public fraud detectability, where anybody can detect fraud, may be considered. 
Unfortunately, there is a generic attack by Waidner and Pfitzmann [10] that 
breaks wide class of public fraud detectable schemes. 

Shared escrow agency : The escrow agency can be replaced by multiple agen- 
cies so that at least a quorum of agencies must commit dishonest behaviour 
to leak information about the submitted private keys. Verifiable secret sharing 
would be a key technique for this property but it may not be sufficient. All com- 
putational tasks of the key escrow agency must be easily sharable (and verifiable 
for admissibility) as well. For instance, it is not known how to efficiently share 
a hash function such as MD5. In theory, the generic approach of [1] makes it 
possible, but it turns out to be unacceptably inefficient in practice. Thus, sche- 
mes where the escrow agency computes secrets using hash functions do not seem 
likely to provide this property. 

Target hiding: To weaken the trust for the EA and to make the LEP more inde- 
pendent, it is necessary to hide the target of the surveillance from the EA. Some 
schemes that provide this property employ so-called “blind decoding”, which 
allows cryptanalysis against the EA’s encryption system. However, known im- 
plementations of this property greatly limit other properties such as surveillance 
switching capability or off-line agency. We will show a plug-in solution that is 
consistent with other properties. 

Surveillance switching: Lawful monitoring may have to be limited to a line 
between specific users. On the contrary, it may be necessary to monitor all com- 
munication that involves a specific user regardless of the partner. We call these 
two types of surveillance “edge surveillance” and “node surveillance” respec- 
tively. A key escrow scheme should seamlessly provide both types of surveillance. 
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Non-directive monitoring: In the case of node surveillance, monitoring should 
be possible regardless of the direction of the message flow. This property is 
unnecessary if the target communication essentially consists of message flow in 
one direction. For instance, the LEP needs to monitor only outgoing messages 
from an FTP server to see whether it is exporting banned contents. 

Offline EA: Once the LEP obtains a private key, or necessary information for 
decryption, the LEP should be able to monitor without the help of the EA. Some 
models, e.g., in [12,11], do not provide this property as the LEP must access the 
EA for each session. 

Sender Authentication : It should be possible for the LEP to identify the 
sender of a message to prevent a dishonest sender from impersonating another 
user. This property is also related to fraud detectability and admissibility. If 
authentication is not provided, no one can be sure whether the sender is ho- 
nest because he could have been framed. Putting the sender’s signature on the 
encrypted message is sufficient for this purpose. 

Noninteractiveness: No interaction should be necessary between communica- 
ting users. This property is important for the type of communication where each 
session contains one message flow from one side to another. 

In addition to these properties, some design principles for secure systems must 
be confirmed. For instance, in [13] users encrypt session keys with the public key 
of a server. Such systems must be avoided because they totally collapse if the 
server’s public key is compromised. 



4 Proposed Scheme 

The following setting, based on the discrete logarithm problem, is used in our 
construction. Let p, q be primes that satisfy q\p — 1. Let Gq be a multiplicative 
subgroup of order g in Zp. We assume the use of sufficiently large p and q where 
the Diffie-Hellman problem in Gq is intractable. By g we denote a generator of 
Gq. We also assume the use of a one-way hash function % : {0,1}* — >■ (0, Ill'll 
where |g| denotes the length of q in bits. All arithmetic will be done in Zp 
hereafter unless otherwise stated. By U we denote a set of users. 

4.1 Threshold Warrant Bounds 

Before describing technical details, we introduce a novel and practical variant of 
warrant bounds that we call threshold warrant hounds. Suppose that the lifetime 
of a public key is divided into P terms where terms are labelled as 1, . . . , P. By 
V we denote {1, . . . , Pj. A user is assumed to execute the registration protocol 
within P terms. Warrant bounds can be understood as a property that satisfies 
the following. Let P be a set of terms wherein lawful monitoring is approved 
against a user. 

— For any P C P, the LEP can monitor in term r if and only if r G P. 
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Now we consider the total period of monitoring the same user. If the approved 
period is short, warrant bounds are important because they prevent privacy 
violation. If long term surveillance is approved, however, privacy has already 
been lost. Thus, assuming that long term monitoring is applied only to serious 
cases and short term monitoring is applied to usual cases, we can establish a 
sort of threshold that separates these two types of monitoring. Let t < P be a 
constant. Threshold warrant bounds imply the following properties. 

— (Short term monitoring) For any TCP such that |T| < t, the LEP can 
monitor in term r if and only if t G T. 

— (Long term monitoring) For any TCP such that |T| > t, the LEP can 
monitor in arbitrary terms. 

For instance, if the lifetime of a public key is a year and each term represents a 
week, i.e., P = 52, and if t = 4, monitoring for up to one month (four weeks) 
a year should be approved for usual cases, and the LEP can not monitor in the 
remaining weeks. Since approval for more than four weeks is equivalent to the 
period of a year, it is assumed to be applied only to serious cases. Note that as 
long as |T| < t, the terms can be discrete. 

4.2 Noninteractive Key Renewal 

Our approach to realize warrant bounds is to have users frequently renew their 
public and private keys. However, this should be done without interacting with 
the EA, so that frequent access is avoided. Suppose user u has t + 1 key pairs, 
say ((x„o, Vuo), ■■■, (a;„t, Vut)) that satisfy for t = 0, . . . t. We refer to 

Xui as the private base keys and yui as the public base keys of user u. All the 
public base keys are certified by the CA and distributed authentically. User u's 
public key in term r is computed as: 

t 

Urt ■ — Vui 

i^O 

The corresponding private key is: 

t 

^ur := ^ XuiT^ mod q . 

i^O 

That is, XuT is the evaluation of a t-degree polynomial f{Z) := Xuo + XuiZ + 
• • • + XutZ* in modulo q at evaluation point Z = t. Note that any entity can 
compute Yut- 

In [2] Burmester et ah, presented another implementation of noninteractive 
key renewal based on a novel non-standard assumption. However, unlike ours, 
only the owner of the public key and the EA who knows the previous private key 
can produce a new public key while other users can not compute it themselves. 
Such a property prevents users from “caching” the public keys of other users. 
Hence access to the CA will increase. 
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4.3 Main Protocols 

Each user u G U randomly chooses t + 1 private base keys Xui &r Z, for 
i = and computes the corresponding public base keys i/ui ■= 

He then sends all yui to the CA and proves that he knows the corresponding 
private base keys by using zero-knowledge interactive proof. Once the procedure 
is completed correctly, the user’s public base key is registered with the public 
key infrastructure and distributed authentically. A user also registers his public 
key used for a signature scheme. The corresponding private key must be cho- 
sen independently from the private base keys, and it must not be revealed to 
anybody, including the EA. 

When a user registers his/her keys to the EA, the following protocol is per- 
formed. 

[Registration Protocol] 

R-1. User u sends {xui, Uui) for z = 0, . . . , t to the EA. 

R-2. The EA obtains a certificate from the public key infrastructure and checks 

? 

whether the public base keys are authorized. It then verifies that y^i = 
for alH = 0, . . . , t. If successful, the EA stores everything received. 

[End] 

To conduct surveillance, the LEP must first obtain a warrant that specifies 
the target user(s) and term(s). Let r be the target term wherein monitoring 
is approved. For node surveillance, the LEP needs X^t. The following is the 
disclosure protocol for node surveillance against user u. 

[Disclosure Protocol (Node)] 

Dn-1. The EA computes Xur ■= 

Dn-2. The LEP computes Y^t '■ 

[End] 

For edge surveillance between user u and v, the LEP needs the common key 
However, unlike the disclosure protocol for node surveillance, it is difficult 
for the LEP to verify the correctness of the obtained K^vt without knowing 
the corresponding X^t or X^r- In the following disclosure protocol for edge 
surveillance, the EA provides a proof for relation log^ Y^t = logy^^ Kuvt by 
using the Chaum-Pedersen protocol [3] . 

[Disclosure Protocol (Edge)] 

De-1. The EA computes Xur '■= Y,\^f^XuiY xRod q, Yy^ := OLo 

Kuvt '■= ■ K chooses w Gr Zq and computes c := 'H(AT„„r ||ff“'||U„.r“) 

mod q and z := w — cXyr mod q. The EA sends Kuvt and (c, z) to the 
LEP. 



= sends it to the LEP. 

= nLo verifies that = Yut- 
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De-2. The LEP computes := '= Y\\=oVvi^' ■ I* then 

verifies c = 'H{KuvT\\g'‘YuT‘'\\Yyr'' Kuvr‘") (mod q). 

[End] 

When sender u sends a message to receiver v, they follow the next procedure. 
Let au{msg) be a signature for message msg to be sent (the signing keys must 
be independent of the deposited base keys). By Ekey{rnsg) we denote a symme- 
trical encryption of msg with common key key. Messages are assumed to have 
appropriate redundancy. 

[Communication Protocol] 

C-1. Sender u computes K^vt ■= 

C-2. Sender u then sends 

{Es{M) II Ek_(5) II au{Es{M)\\EK^^^{S))) 

to receiver v where M is a message to be received, S' is a session key 
selected randomly, and cr„ is a signature for the previous two parts. 

C-3. Receiver v verifies au with u’s public signature verification key. Then, 
V computes his private key Xy.^ and m’s public key Yut-. He computes 
Kuvt = Y^'"^ and decrypts Ek^^.^ (S) with to retrieve session key S. 
He then decrypts Es{M) with S to recover M. If S or M does not have 
proper redundancy, discard everything received. 



[End] 

Monitoring is done as follows. The LEP first verifies ct with the sender’s 
signature verification key. For node surveillance, the LEP computes = 

and decrypts Ek^^.^{S). For edge surveillance, use Kyyr given from the 
EA to decrypt to get S. Finally, message M is obtained by decrypting 

Es{M) with S. If a redundancy violation is observed, store everything and stop 
(legal action should then be taken). 

5 Security Analysis 

Here we restrict ourselves to prove security on warrant bounds as it is not clear 
if warrant bounds is achieved when node and edge surveillance are conducted 
in a mixed way. (It is not hard to verify that the proposed scheme implements 
verifiability, surveillance switching, non-directive monitoring, off-line EA, and 
non-interactiveness. ) 

Let Afu denote a list of terms wherein node surveillance was conducted against 
user u. Similarly let Syy be a list of terms wherein edge surveillance are performed 
against user u and v. When an edge surveillance is conducted at term r, we 
assume that r is listed in either Syy or Syy Namely, we assume Syy H Syy = 0. 
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Theorem 1. If |A/’„| > t, the LEP can compute X^t for arbitrary t GP. 

Theorem 1 immediately holds from the threshold property of our noninteractive 
key renewal. 

Theorem 2. If \J\fu UAfy USuv ^£vu\ >2t+l, the LEP can compute K^vt for 
arbitrary t € V. 

Proof. Let fu{Z) and fv{Z) be random t-degree polynomials decided by the base 
private keys of user u and v, respectively. Observe that log^ is on 2t-degree 
polynomial /„(Z)/„(Z) a,t Z = t. Let Wi be an element of Zp such that log^ Wi 

is the i-th coefficient of /„(Z)/„(Z). Observe that K„yk = WqW^ ■ ■ - W 2 t^ 
holds. Hence, given for more than 2t -|- 1 different fc’s, one can determine 
all Wi by solving a series of multiplicative equations (without solving the discrete 
logarithms). Then, one can compute Ku^t for any t & V Qhq with those Wt. 

Next we state the conditions on Af and £ to force warrant bounds on the LEP. 
Suppose that the LEP attempts to conduct illegal monitoring at unauthorized 
terms or against unauthorized users. What the LEP has at this time is the 
history (keys and proofs) of the previous surveillance. A history, denoted by 
Hist, consists of keys for node investigation, keys and proofs (issued by the EA) 
for edge investigation, and public base keys for all users. More precisely. Hist is 
defined as 

[J {{Xjfcl k G A/)} U {Kijk, Proof k G £ij U £j^} U {j/io, ■ • ■ , Vit}} 
i,jeu 



where Proof ij^. is (c, z) shown in the disclosure protocol for edge surveillance 
in the previous section. Given such Hist, the LEP attempts to compute X^r or 
Kuvt for some (u,v,t) that has not appeared in Hist. The following theorem 
states that the LEP will not be successful in such an attempt. In this theorem, 
we consider the LEP static so that it does not adaptively construct the history 
after seeing the base keys of users. Instead, we prove that, given any history, the 
LEP will fail to conduct unauthorized surveillance as long as all A/i’s and £ij’s 
satisfy the conditions shown below. 

Theorem 3. (Security against unauthorized node surveillance) Let LEP be a 
probabilistic polynomial time algorithm. Assume that the following conditions 
are satisfied: for all i €U, 



|M| < t, (1) 

\£ij I < t for all j €U \ {t} , and (2) 

(3) 

Given {Xik\ k G A/)}, {ATyfe| k G £ij} and {y*o, • ■ • , 2/ii} for all i,j G U, the 
probability that LEP outputs X^^ for some u €U and t € V such that r ^ A/u is 
negligible under the intractability assumption of the discrete logarithm problem. 
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Proof. Proof is done by contradiction. We construct a discrete logarithm solver 
Mjjl assuming the existence of a machine, say Mnode, that outputs a key for 
illegal node surveillance. Mjjl is given an instance (p, q, g, Y) where log^ Y in 
Zp is to be solved. Mjjl simulates Hist by producing all base keys and works as 
follows. 

Step 1. (Generating the history of targets and periods) M^l randomly gene- 
rates Afi and Sij for all i,j £ U so that they satisfy the conditions 
addressed in the statement. 

The following steps are repeated for all i£U. 

Step 2. (Generating the base keys) Pick n £r Z* and compute yio := Y‘^\ 
Next, if \Afi U lUjew ^ select Ci from {P -|- 1, . . . , g} so that 

\Ci U A/) U £ij}\ = t- Let Xi denote the above set Ci U A/) U 

{[Jj^u £ij}- Then, for every k £ Xi, select Xik £r Zq. Then, compute 

yu for £ = I, ... ,t so that they satisfy g^'’‘ = J/io rifci 
k £ Xi (Note that it does not need solution of the discrete logarithm). 
Add y^o,.. .,y^t to Hist. 

Step 3. (Generating node surveillance keys) For all k £ Afi, add Xu,, to Hist. 
Step 4. (Generating edge surveillance keys and proofs) For all k G 

compute Kijk as Kijk = ; Emd add them to Hist. Also 

compute appropriate Proof ij/,. by using Xik and add it to Hist. 

The resulted Hist uniformly distributes over the space where the real Hist is 
taken when the LEP randomly decides the targets and periods of surveillance. 

Now Mjjk gives the produced history to Mnode with the expectation that it 
will output unauthorized X^t. Precisely, Mol works as follows. 

Step 5. (Invoking Mnode) Give Hist produced in step 1-4 to Mnode, and get an 
output {u,t,Xut). Abort if yf ]li=o 22™^* happens. 

Step 6. (Gomputing the discrete logarithm of Y by interpolation) Output X := 
Y.k(^Q^k,QXukra.odq where \k,Q := OieQ i/fe 7^ 

Q = U {r}. 

Observe that C„ is taken from outside of the valid period in Step 2. This 
avoids the failure that Mnode outputs Xut for r G C„ in Step 4. Then, it is easy 
to see, by inspection, that if Mol completes then X equals log^ Y. The success 
probability of Mol is the same as that of Mnode- 



Theorem 4. (Security against unauthorized edge surveillance) Suppose that the 
LEP is given {Xiu\ k £ A/)}, {Kijk\ k £ and {ym, . . . ,yit} that satisfy 
conditions 1, 2, and 3 for all i,j G U. The probability that the LEP outputs 
Kuvt for some u,v £ U and t £ V such that t ^ Suv 0 Afu U Afv is negligible 
under the intractability assumption of the Diffie- Heilman problem. 
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Proof. Similar to the previous proof, we assume the existence of a machine called 
M^dge which takes Hist as an input and outputs, with non-negligible probability, 
(u,v,T, Kuvt) that is not included in Hist. By using Medge as a subroutine we 
construct a Diffie-Hellman problem solver Mjjh that takes {p, q, g, Y, Z) as an 
input and outputs Although Moh is more complicated than Mdl, the 

description of Muh is the same as that oi Mol in the proof of Theorem 3 except 
for Steps 2, 5 and 6 as shown in the following. In Step 2, Moh first randomly 
divides the users into two groups, Ui and IA 2 whose size are the same (if the 
number of users are odd, we allow difference of one element between lAi and IA 2 ). 
It then computes y„o := for all users u £ Ui and y„o := for all users 
V £lA 2 where r„, are taken randomly from Z*. The rest is the same as original 
Step 2. In Step 5, Moh receives K^vt) from M^dge- 

Before describing Step 6, we need to make some observations. According to 
Step 2, Uui,---, Put satisfy = yuoUui’" ■ ■ ■ Vut^ for all k G X^. From those 
t equations (recall that |T„| = t), we can represent pui as pui = 
with some constant aui and (3ui in Zg. The important fact is that M^h can 
compute those a’s and /?’s from and Xuk chosen in Step 2. Hence, can 
be represented as 



t 

^UT Uui 

with appropriate constant and known for Moh- In the same way, Moh 
can compute and that satisfies Yy^. = g'^”^ Pvo^”^ ■ Observe that 

log Yur '^UT T ^UT logyuO (mod g), and 

log Yyr = 'yyr + ^VT log Pyo (mod q) 

holds (logarithms are to base g in above equations and the same applies for the 
rest of this proof). So, by multiplying above equations, we have 

log PuO log PyO (log Yyy log Yyy ^UT^VT lOg PvQ ^VT^UT lOg PuO ^UT^VT^ j ^UT^VT 

(mod q). 

Thus, 

= {Kyyr 

In the final step Moh aborts if both u and v are in either Ui or IA2 . Otherwise, 
it computes 7 „,-, 7„t-, S,vt and outputs 

{Kyyr (log 

_ ylog Z 
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The description of Muh ends. 

The success probability of Mdh is worse than that of Medge because Mdh 
fails if Medge outputs u,v both of which belong to either U\ or U 2 - Since the 
public base keys distribute uniformly over the space whichever it belongs 
to, lAi or IA 2 , Medge h^s no information about Ui and U 2 - Hence the probability 
that u and v belong to different groups is 

Q 

Since we have Ui and IA 2 as (almost) the same size the probability is larger than 
1/2. Thus, the success probability of Mjgn is more than half of that of Medge, 
which is not negligible. 



Notice that conditions 1,2,3 are not the reverse of the conditions stated in 
Theorem 1 and 2. Hence they may not be tight. Indeed, those conditions are 
needed only for technical reasons (to simulate history of surveillance). 

6 Efficiency 

The computational overhead of the proposed protocol is small: It only requires 
private key and public key for each term to be computed from the corresponding 
base keys. This computational overhead grows in factor log P. For instance, 
let us take P = 52, and t = 4 as before. Let k he a variable that represents 
terms. As term varies from 1 to 52, k needs 7 bits, the number of multiplications 
in Zp for computing the public key of fc-th term is X)i=o * 1^1 ~ Therefore, 
even if we do not use an advanced method for calculating vector exponentiation, 
computation of the public key consumes only 70 modular multiplications in Zp. 
This takes about one third of the time needed for the modular exponentiation 
commonly used in other computations if we take jgl « 160 as is usual. We expect 
that such a small overhead is acceptable for many computationally weak user 
terminals. Necessary storage for base keys is linear in t. Accordingly, the under- 
lying public key infrastructure must support t times more public keys. However, 
communication complexity, except base key distribution, does not increase at 
all. 



7 Extensions 

7.1 Shared Escrow Agency 

The shared EAs cooperatively work as a single EA as presented before, so the 
difference appears only in the registration protocol and the disclosure protocol. 
We assume that users can access each EA via a private channel during the 
registration protocol. 
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In the registration protocol, a user gives a share of his base secret keys to 
each EA. Each EA then verifies that what is received is a correct share of the 
base secret keys that correspond to the base public keys. Such a requirement is 
easily satisfied by using verifiable secret sharing [4] in the registration protocol. 
The disclosure protocol must be modified so that it is done in a shared manner. 
Let us omit descriptions of these straightforward modifications. 

7.2 Hiding Targets from the Escrow Agency 

Here we describe two plug-in schemes for hiding targets from the EA while 
preserving other properties. Our solution is based on [9]. At the end of term 
r — 1, the EA encrypts new private key X^t of every user by using El Gamal 
encryption with its encryption key y (for efficiency, we assume that each term 
has reasonable span). Since El Gamal encryption is malleable, the LA can blind 
the target ciphertext. The blinded ciphertext is sent to the EA via the LEP, 
and the LEP finally obtains X^r by unblinding the output of the EA. More 
precise description is as follows (in the following, suffix t is omitted). The EA 
prepares a key pair (x,y) such that x G and y = mod q where h is 

a generator of Z^. At the end of term r — 1, the EA encrypts, for all i & U, 
Xi as = {Xiy*' mod g, mod q) where ti Zq_i. It then publishes 

the resulted ciphertexts. The following is the procedure of disclosure for node 
surveillance. 

[Blind Disclosure Protocol (Node)] 

Step 1. The LA selects Wi,W 2 ^q-i- It then blinds (Mu,Gu) as (M,G) = 
Gu/i*"!). It passes (M, G, IV 2 ) to the LEP together with its 
authorized signature. 

Step 2. The LEP sends (M, G) and the signature of the LA to the EA. 

Step 3. The EA computes X := M/G^ mod q and sends X back to the LEP. 
Step 4. The LEP computes A„ := Xjy^'^ mod q and verifies that = Y^. 
If it fails, declare reject. 

[End] 

It is easy to confirm the correctness of the protocol by checking that 

= X j yt-u,+Wi+W2 

= ^«. 

Furthermore, (M, G) is computationally indistinguishable from any {Mi, Gi) un- 
der the intractability assumption of the decision Diffie Heilman problem. 

The next is the procedure of disclosure for edge surveillance between user u 
and V. 
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[Blind Disclosure Protocol (Edge)] 

Step 1. The LA selects W\,W 2 &r '^q-i and 1 V 3 £r Zq. It then blinds (M„, Gu) 
and Yy as (M,G) = and Y = Yy^^ . It passes 

(M,G,W 2 ,W 3 ) and Y to the LEP together with its authorized signa- 
ture. 

Step 2. The LEP sends (M, G) and Y to the EA with the signature of the LA. 

Step 3. The EA computes K := mod q sends K back to the LEP. 

Similar to the original disclosure protocol shown in section 4.3, it 
then provides a proof (c, z) where c = 'H{K,Y'^ , g^) and z = w — 
c{M/G^) mod q for w Gr Zq_i. 

Step 4. The LEP verifies the proof and computes Kyy := mod q. 

[End] 



Observe that 











i{Guh“^Yy'“2 



wX„y*“+“i+”2 
^ V 



= Y 



x„ 



Thus, the LEP can blindly obtain the common key Kyy for edge surveillance. 

Finally let us point out that such blind decoding approach will allow the 
LEP and the LA to launch adaptive chosen ciphertext attacks. Though it is 
not likely that such attacks will completely break an El Gamal cryptosystem, it 
could endanger the secrecy of keys whose disclosure is unauthorized. 



8 Open Problems 

— Our construction of target hiding property could be vulnerable against ad- 
aptive chosen message attacks as be former solutions. Find an alternative 
solution that is immune to such attacks while preserving communication (or 
even computation) complexity and other properties. 

— Treatment of mutually distrusted escrow agencies [9,5] was not covered in 
this paper. Can such a property be implemented without affecting the other 
properties listed in this paper? 
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Abstract. Multicast security has been intensively studied in recent 
years. In all previous schemes a trusted group controller is essential. 
However this is a restrictive assumption in applications such as telecon- 
ferences among members of a dynamic group. This leads to the problem 
of constructing dynamic group controllers in the multicast environment. 
That is, after the initialisation of the system, each user in the group can 
establish a common key among a subset of users by broadcasting a mes- 
sage (or messages) such that only the users in the designated group are 
able to decrypt it. In this paper, we present two solutions, one based on 
key distribution patterns which can cater for both private key and public 
key settings, and the other using tree based key hierarchy structure by 
employing the Diffie-Hellman key exchange protocol. We assess security 
and efficiency of our proposed schemes. 



1 Introduction 

Multicast, or one-to-many communication is the basic form of transmission in 
group communication applications and forms the main primitive for a range of 
advanced telecommunication services including video broadcasting, multi-party 
teleconferencing, stock quote distribution, and updating software. 

Multicast security has been intensively studied in recent years (see, for ex- 
ample [2,3,4,8,10,15,16,17]). Secure communication in multicast environment is 
much more challenging than traditional point-to-point communication and raises 
numerous new security problems. Examples are controlling access to the encryp- 
ted data, and efficient management of dynamic groups where new members join 
or existing members need to be evicted. 

A simple solution to providing secure communication in a group is by em- 
ploying conventional point-to-point cryptographic protocols. For example, secure 
group communication can be achieved by giving each user a pair of public and 
secret key which can be used to encrypt messages. However this is very inef- 
ficient: a user who wants to encrypt a message for the group must encrypt it 
for each group member individually and then broadcast the concatenation of 
the encrypted parts. A second solution is to share a common key among the 
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group members and use the key to perform the cryptographic operation. This 
raises the question of how to efficiently add new members to, or remove members 
from, the group such that security of the previous and future communication is 
guaranteed. When a new user joins the group, the common key can be sent to 
the new user using secure unicast. However this means that the new user can 
read all the previous encrypted messages. To keep the previous communications 
secret from the new user, a new common key can be generated and sent to the 
old group members encrypted with the old common key, and to the new user 
using secure unicast. Removing users is a more difficult problem. When users 
leave the group it is essential to change the group key in order to conceal future 
communications from the evicted users. This is known as users revocation or 
blacklisting problem. 

A simple solution to user revocation problem exists when each user in the 
group shares an individual secret key with a centre which controls the group. 
When a user is to be deleted from the group, the centre chooses a new common 
key to be used for encrypting the future group messages, encrypts it with the 
secret key of each user and sends it to them. 

In this system the group controller is the trust and communication bottleneck 
of the system. The controller knows all the keys used by the group members 
and its compromise results in the complete loss of system security. It is also 
communication bottleneck of the system and any user revocation requires its 
participation. 

In this paper we consider revocation problem without the need for a tru- 
sted group controller. That is, we allow any member of the group to remove 
a subgroup of participants and obtain a shared key with the remaining group 
members. This can be used to establish conferences among arbitrary subgroup, 
and initiated by a group member. 



1.1 Previous Work 

The study of encrypted multicast to target some selected subsets of users can be 
dated to the beginning of 90’s by Berkovits [1]. A number of works have followed, 
focusing mainly on the problem of security multicast for the private-key case, 
under the assumption that one-way functions exist. 

A major step in this direction has been the introduction of broadcast en- 
cryption system [8] for pay-TV application. The system enables a single (fixed) 
sender to transmit a message to a dynamically changing subgroup of users, such 
that collusion of at most t users cannot decrypt the transmissions, unless one of 
the collusers is a member of the subset. The group may change and this change 
will be affected through a new control block. A very important feature of this 
scheme is that the overhead of the control block does not depend on the number 
of the users that are removed from the group. The communication overhead of 
the scheme, assuming the existence of one way function, is log 2 A^log 2 1), 
and each user needs to maintain 0(t(log2 log 2 t) keys, where N is the to- 
tal number of users in the group. A number of papers studied various variants 
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of broadcast encryption and user revocation problem with no computational 
assumptions made, see for example, [15,10,3]. 

A totally different solution was proposed by Wallner, Harder and Agee [16], 
and independently by Wong, Gouda and Lam [17]. They propose a tree-based 
scheme that allows removal of a single user with log 2 N re-keying messages. Re- 
keying message can be repeated many times for removal of multiple users. The 
scheme provides protection against collusion of arbitrary number of users. To 
exclude t users, the scheme requires 0{N) keys for the group controller, 0{N) 
transmission overhead and requires only 0(log2 N) keys for each user. Canetti 
et al [2] show how to use pseudo-random generators to reduce the transmission 
overhead by a constant factor, but still require 0{N) keys for the group con- 
troller. Canetti, Malkin and Nissim [3] explore possible trade-off between the 
transmission overhead, user keys and centre keys. More recently, Chang et al 
extended the scheme of [16], using Boolean function minimisation techniques 
[4]. They reduced the total number of centre keys from 0{N) of Wallner et al’s 
scheme to 0(log2 N), while retaining the same order transmission overhead and 
user keys. However, the main drawback of Chang et al scheme is that it does 
not protect against collusion attack: that is collusion of two users can reveal all 
the keys of the system. 



2 Our Work 

All previous schemes have a single group controller who is trusted. The group 
controller generates and distributes users’ keys in the system setup, and manages 
the key updates. In many applications, such as dynamic conferences, group users 
may wish to transmit data to a subgroup of users. If the single group controller 
model is used, then all communication from users should be sent through a 
unicast channel to the group controller and from there multicasted to the group. 
This raises numerous problems such as single point of failure, communication 
overhead for the group controller, and communication delay. 

In contrast to the previous solution in which the controller is fixed, in this 
work we consider the scenario that the group controller is dynamic. That is, 
after the initialisation of the system, each user can establish a common key for 
a subset of the group. This is achieved by a single broadcast to the group which 
can only be decrypted by the members of the target subgroup. 

A simple solution to the problem of dynamic controller is to employ the 
scheme of a single controller as a building block and associate a single controller 
scheme to each user such that the rest of the group are the receivers. We call 
this simple solution the trivial scheme. The obvious drawback of this solution is 
that the key storage of each user is prohibitively large, that is A^ — 1 times the 
storage of a receiver plus the storage of a controller in a single controller scheme, 
which is linear in N , and for large groups is very inefficient. 

We address the problem by presenting two approaches, one based on key dis- 
tribution patterns which can cater for both private-key and public-key settings. 
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and the other one based on key hierarchy by employing the Diffie-Hellman key 
exchange protocol. 

The basic idea of the first approach is to design the structure of keys in such 
a way that each user holds a different subset of keys, such that each pair of 
users share at least a key that is not known to any removed users - a similar 
method has been used in the fixed sender scheme [10]. In this basic scheme, for a 
group of N users the number of keys to be stored by each user is 0(log2 N) and 
the communication overhead for deleting t users is only (t log 2 N) . The scheme 
provides security against collusion of up to t users. 

The second approach is inspired by the work of Wallner et al [16]. We use a 
logical tree structure with each leaf corresponding to a single user. Nodes in the 
tree correspond to intermediate keys and the root is the key known by all the 
users. However, unlike Wallner et al, we do not require a group controller neither 
for key generation and distribution in the system setup, nor user revocation. For 
key allocation, we apply binary key structure. Every user holds a different subset 
of keys and maintains the keys and the tree structure for key update. Each user 
has storage complexity 0(log2 N), and communication complexity for removing 
t users ranges from 0 to 0{N) depending on the relative positions of users in the 
logical tree. This approach is also secure against collusion of any t users, where 
t can be any number less than N. 



2.1 Notations 

The ring of integers modulo a number n is denoted by Z„, and the multiplicative 
subgroup of integers relatively prime to n, by Z*. 



3 The First Approach 



Assume there are N users, U = {U\, . . . ,Un}- There is a Trusted Authority (TA) 
who distributes keys to each user during the system setup. At a later time the 
users in the group can broadcast messages such that only some designated users 
can decrypt the messages. 



3.1 The Scheme 

The notion of a key distribution pattern is central to the first approach. 

Definition 1. Let X = {xi, . . . , x„} and B = {i?i, . . . , Hat} he a family of 
subsets of X. The pair (X,B) is called an (n,fV, t)-key distribution pattern 
({n,N,t)-KDP) if 

for any {t + 2)-subset {z, si, . . . , s*} o/ {1, 2, . . . , iV}. 




182 



H. Kurnio et al. 



Key distribution patterns (KDP) [11] are finite incidence structures that 
were originally designed to distribute keys between pairs of participants in a 
network and in the absence of an online key distribution centre. A KDP is used 
to allocate a collection of subkeys to users in a system such that any pair of 
users can compute a common key by finding an appropriate combination of 
their subkeys. 

In our first scheme we use an (n, N, t)-KDP and allow users to determine a 
common key for every N — t users. Let (A, B) be an (n, N, t)-KDP. In the system 
setup, the TA randomly selects a set of n keys ki,. . . ,kn and for each user Ui 
gives him a subset JCi = {kr \ if Xr & Bi } of keys. Assume that a user Ui wants 
to establish a session key SK with other users of the group except t users, say 
The user Ui encrypts the session key SK with all his keys except 
those keys incident to and broadcasts the encrypted message. That 

is, Ui broadcasts {Ek^(SK) \ r G Bi \ {B(^ U • • • U B^^)}. From the definition of 
KDP we know that every Uj &U\ , . . . , Ui ^ } has at least one key kr where 

Xr G {Bi \ {B(^ U • • • U Bi^), and so he can decrypt Ek^ (SK) to obtain SK, while 
every , 1 < J < t can not decrypt the message since he does not have any of 
the keys used for encryption. 

Theorem 1. The above scheme based on an {n,N,t)-KDP can remove up to t 
users from a group of N users. It requires each user to store less than n keys, 
and the maximum number of transmissions is n. The system is secure against 
collusion oft malicious users. 

The theorem shows that the overhead of the system is affected by various 
parameters of the underlying key distribution pattern. For given t and N, we 
expect n to be as small as possible. Equivalently, for given n and t, we expect 
N to be as large as possible. 

Constructing KDP with maximal N for a given size n has been extensively 
studied in literature; see [11,9,13,6,12,15]. Mitchell and Piper [11], and Gong and 
Wheeler [9] gave explicit constructions for (n, N, t)-KDP in which n is 0{N), as 
opposed to the trivial construction that gives each pair of users an individual 
key, which requires that n is O(iV^). Dyer, Fenner, Frieze and Thomason [6] 
showed the existence of (n, N, t)-KDP with n = 0(log2 N). 

The above analysis shows that the number of keys that needs to be stored by 
each user is of the order 0(log2 N) and that the length of the message needed for 
updating the session key and removing t users is 0(log2 N), where the message is 
concatenation of the session key encrypted with a number of keys. The following 
example gives an illustration of the above re- keying scheme. 
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Example 1. 

Let X = {1,2,3, 4, 5, 6, 7, 8 , 9} and B = {Bi, B 2 , B 3 , B 4 , B^, Bq, By, Bg, Bq, 
i?io, i?ii, i?i2} defined as follows. 

= {4, 5, 6, 7, 8, 9} B^ = {2, 3, 5, 6, 8, 9} 

B3 = [ 2 , 3 , 4, 6, 7 , 8} Bi = {2, 3, 4, 5, 7 , 9} 
i?5 = {1,2,3,7,8,91 i?6 = 11,3,4,6,7,9} 

Br = (1, 3, 4, 5, 8, 9} Bg = (1, 3, 5, 6, 7, 8} 

Bg = (1, 2, 3, 4, 5, 6} Bio = {1,2, 4, 5, 7, 8} 

Bn = {1,2,5,6,7,91 = {1, 2, 4, 6, 8, 9}. 

Then (X,B) is a (9, 12, 1)-KDP. 

Assume that after initialisation, user Ui wants to establish a common key 
with the rest of users except U 3 . Since Bi \ B3 = {5,9}, using our first scheme, 
Ui encrypts the key SK using and kg, and broadcasts {Ek^{SK), Ek,^{SK)} 
to the group. It is easy to see that every user except U 3 can decrypt at least one 
encrypted SK in the broadcasted message using kg or kg. On the other hand, U 3 
does not know kg and kg and so can not decrypt the message. 

3.2 Communication Efficiency 

In the following we show how to improve the communication cost of the basic 
scheme. That is, reduce the bandwidth used by the group controller for broad- 
casting information. 

Our construction uses erasure codes - a similar method has been proposed 
for the single controller case in [10]. Erasure codes are a special class of error- 
correcting codes that allow recovery of a message if part of it is damaged or 
erased during the transmission. 

Definition 2. An [n,k,m]q (constructive) erasure code is a polynomial-time 
function C : — >■ JF” such that there exists a polynomial time function D : 

Tq — >■ iFg , where Eq = EqU {T}, such that for all v € Eq, if u G Eq is such 
that u agrees with C{v) on at least m places, and is T elsewhere, then D{u) = v. 

Given an [n,k,m]q erasure code, one can encode a message v to obtain a 
codeword C{v). The message v can be reconstructed if up to n — m positi- 
ons of C{v) are damaged or erased. Erasure codes can be constructed using 
error-correcting codes, such as Reed-Solomon codes. Given a message vector 
V = {vg,vi, . . . ,Vk-i) G Eq, we construct the polynomial p(x) = Uq + + 

. . . Tvk-ix^~^ . Let Cl, eg, . . . , e„ be n distinct elements in Eq. The encoding is 
defined by C{v) = (Pi,(ei),p„(e2 ), . . . ,Pi,(e„)), and the decoding D uses k pairs 
{ei,pv{ei)) to interpolate the polynomial and reconstruct the coefficients ofp„(x) 
and obtain the source message v. 

In order to apply the erasure codes to improve the communication cost in 
our basic scheme, we need to slightly modify the definition of key distribution 
patterns. 
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Definition 3. Let X = {xi , . . . , x„} be a set and B = {Bi, . . . , B^} be a family 
of subsets of X. The pair (X,B) is called an {n, N ,t)-a-^^ey distribution pattern 
(\n,N,t)-a-KDP) if 

\{B,nBj)\{uU^Bs,)\>a 
for any {t + 2)-subset {z, j, si, . . . , s*} 0 / {1, 2, . . . , iV}. 

For a = 1, an (n,N,t) — a— KDP is the same as an (n, t)— KDP. It is 

easy to see that a-KDP with a > 2 can be constructed by concatenating of 
multiple KDPs. Also an (n,N,t) — a— KDP is an {n,N,t — 1) — o'— KDP with 
a' > a + 1. It would be interesting to look for more sophisticated solutions. 
We believe that most techniques for constructing KDPs can be generalised to 
a-KDP in a straightforward manner. 

Now the basic scheme can be modified as follows. Assume that the (auxiliary) 
keys of the users are elements of a finite field Let (X,B) be an {n,N,t)-a- 
KDP. For simplicity, we assume that |i?i| = £, for all i, and each session key SK 
is an element in Xf . To update a session key in the basic scheme, user Ui applies 
a [£, w, a]q erasure code {C, D) in the generation of the broadcast message. For a 
session key SK = {SKi, SK 2 , ■ ■ ■ , SKyf), Ui computes C{SK) = (ci, C 2 , ■ ■ ■ ,ce) 
and broadcasts E{SK) = {Ek^Cr) \ to all r such that Xr & Bi\ {Bi^ U Bi^ • • • U 
Since each non-excluded user has at least a keys from the keys of Ui, it 
follows that each non-excluded user can decrypt a messages of E{SK) and so 
can decrypt a components of C{SK), and obtain EK. 

In an [n, k, m]q erasure code, the length of the codeword C{v) is nlog 2 q bits, 
whereas the length of the source message v is k log 2 q bits, and hence the rate 
which indicates the extra bandwidth, is n/k. We note that the basic scheme uses 
an [n, 1, 1]^ erasure code in the construction. In general, we expect fc to be as 
large as possible to minimise the extra bandwidth. We also note that to use this 
construction with A: > 1, the parameter a in the (n, N, t) — a— KDP must satisfy 
a > k which requires larger n for the same values of N and t, and so more keys. 
A more detailed analysis for this tradeoff is an interesting problem remained 
open. 



4 The Second Approach 

In this section, we present a different solution to user revocation problem. In 
this approach a dynamic conference, based on a binary tree key structure and 
without the assistance of a trusted centre in the setup phase, is constructed. 
The conference is dynamic in the sense that users in the group are able to form 
subgroups and determine a unique session key. Later they can use the session key 
to have secure communication among themselves. The session key of a subgroup 

5 is obtained by blacklisting, or removing, U\S users. Our work is influenced by 
[16,17,7], and [3]. Although these works also use tree structure, they require a 
group controller for both the initial setup and membership update. 

In order to form a subgroup S <ZU, users in S need to form the session key. 
This means that each user in S should be able to act as a group controller. 
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4.1 Basic Construction 

The basic idea of this construction is to apply a two-party key exchange protocol 
to a binary tree structure, and use multicasting as the mode of transmission. 
Nodes and root of the tree correspond to keys. Each leaf is a user’s secret key. 

Assume a group U oi N users want to establish a dynamic conference. In 
the system setup, they agree on the values of parameters to be employed by the 
two-party key exchange protocol. Each user Ui, 1 < i < N , randomly chooses 
his secret key. They form a binary tree with N leaves and agree on their position 
on the tree leaves. The tree structure is kept by all users. Note that the tree 
might be unbalanced. Alternatively, values of parameters and tree structure can 
be generated by a Trusted Authority (TA) and securely sent to all the users. 

In a two-party key agreement protocol, each party has a key fc, which is 
kept secret. User Ui sends = /i(fci) to user U2, and user U2 sends ^2 = 
/i(fc2) in return. Now they can calculate k\^2 = f2{ki, /C2) and ^2,1 = f2{k2i k-^), 
respectively. If /i and /2 are chosen such that k\^2 = ^2,1, then the two users 
will share a key. For a key k, k = fi{k) is called the shadow key of k. 

The node keys in the tree are established in the leaf-to-root direction as 
follows. Firstly, each user uses his secret key fci and the shadow key of his 
sibling, that is k'2 = fi{k2), to form his parent node key, k\^2 = f2{ki,k'2). 
Then, each user uses his node key, which is k\^2, and the shadow of the sibling 
to his node key, that is fcg 4 = /i(A:3^4), to form the next level parent node key, 
^1,2. 3, 4 = /2(^i,2) ^3 4)- This process continues for every node key until reaching 
the root key. The root key is known by all users and is the group key. The shadow 
of a secret key is multicasted once by its owner. The shadow of a node key, that 
is known by more than one user, is multicasted once by one of the users that can 
calculate that key. Each user receives and stores shadows of sibling of his keys. 
These principles imply that each user stores shadows of the sibling of his node 
keys (secret key) along his path to the root. As a consequence, each user is able 
to compute node keys along his path to the root. 

For one or multiple removal, a subgroup S updates their tree structure and 
keys. The updating is as follows. Leaf of every deleted user is pruned and his 
parent is deleted. His sibling replaces position of his parent. If a node key has a 
single child, it is deleted and replaced by its child. If a node key does not have 
any children, then it is deleted. This guarantees that after the updating process, 
every secret key and node key has a sibling. To obtain the subgroup key, node 
keys and the root key, that are known (compromised) by the deleted user(s), 
are updated. The process is by applying a two-party key exchange protocol to 
the compromised keys in the leaf-to-root direction. Only shadows of the updated 
node keys have to be multicasted. Finally, it is straightforward to update the 
root key. This root key is the subgroup key for S. 

For implementing our scheme in this paper, we apply Diffie-Hellman key 
exchange protocol [ 5 ]. 
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4.2 System Setup 

Suppose a group U of N users want to establish a dynamic conference. Firstly, 
they agree on a prime p and a generator a € Z*. Each user Ui, 1 < i < N, 
randomly chooses an integer ki € Z* and keeps it as his secret key. Next, they 
form a binary tree with the number of leaves equal to N and agree on their 
position on the leaves. The tree structure is known to all users. One possible 
structure for the binary tree is shown in Figure 1 . 




Formation of keys in the tree is started from ki^ 2 , ^3,4) ■ . ■ , or kN-i,N- User 
Ui multicasts k[ = (mod p) and U2 multicasts k'2 = (mod p). They 
compute ki^2 = (mod p). Users U3 and U4 multicast shadows of their 

keys and compute ^34 = (mod p). The rest of the users do the same 

and finally, users Um-i and Um multicast shadows of their keys and compute 
kN-i,N = (modp). 

The process goes up one level. User U\, or U2, multicasts 2 = (mod 
p), and user U^, or U4, multicasts Ag 4 = (mod p). Users Ui, U2, U^, and U4 

compute fci, 2, 3, 4 = (modp) = (mod p). Node key fc5_.,.,Ar-i,Ar 

is formed in the same way by users . . . ,Um-iMn- 

Finally, user Ui,. . . , or U 4 and user U^, . . . , or Un multicast their shadow 

keys and compute ki^ 2 ,...,N-i,N = a''u2,3,4fc5 n-i,n (j^od p) which is the group 

key for U. 

Each user stores shadows of the sibling of his node keys along his path to 
the root. For example, user Ui stores k' 2 , k'^, 4 , and fcg ^ and is able to 

compute fci.2,3,4, and ki^ 2 ,...,N-i,N- 

4.3 Removal Process 

The key tree of U consists of the key trees of subgroups of U. Let Q = {Gi,- ■ ■ 
Gn-2} be the collection of subgroups of U where Gj has a session key which is a 
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node key. The number of such subgroups is equal to the number of nodes in the 
tree minus root, which is — 2 [14]. For example, subgroup U\,. . . has the 
session key fci,2,3,4- Users of a Qj can use the subgroup key to establish secure 
communication among themselves. However, the number of these subgroups are 
less than the number of all possible subgroups of U, which is — 2 < Y^^=2 (^) ■ 
When users of a subgroup S ^ Qj, 1 < J < A^ — 2, want to obtain a subgroup 
key, they need to remove U\S users. 




Fig. 2. Key tree structure after removal of IA2 and Hz. 



Suppose a subset S dU, S = {U\,Ui, ■ ■ ■ ,Um} want to establish a subgroup. 
They delete U2 and and update the tree structure to Figure 2. Leaves U2 and 
U’i have been pruned and leaves lAi and replace their parents. In the process 
to obtain session key of the subgroup, keys that have been known by U2 and 
will be updated. In this case, fci_2,3,4 and ki^2,...,N-i,N in Figure 1 are changed 
to ki^A and ki^i_,,,^N-i,N in Figure 2, respectively. 

In the updating process, user U\ multicasts k'l = (mod p) and multi- 
casts ^4 = (mod p). They compute (mod p). User Ui, or Ua^, mul- 

ticasts 4 = (mod p), and U^, . . . ,Uiq-i,UM update their keys. Note that 

user U5, . . . , or Un does not need to multicast k'^ ^ n-i,n (jnod p) 

since is stored by users Ui and U4. Finally, Ui, i = 1 , 4 :, . . . , N — 1 , N, 

computes ki^4^,,,^N-i,N = n-i,n (mod p). This key is the subgroup key 

for S. 



4.4 Efficiency and Security 

To evaluate efficiency of the proposed scheme, we consider the following measu- 
res: (i) the amount of users’ storage, and (ii) the communication cost for deter- 
mining the session key. Since efficiency is also influenced by the tree structure, 
for simplicity we assume that the tree structure is binary and balanced. 
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Theorem 2. The above scheme based on Diffie- Heilman key exchange protocol 
can remove any number of users from a group of N users. Each user has to 
store 0 (log 2 -/V) keys and will have the maximum transmission o/log 2 -A^, while 
the upper bound on the total number of transmissions in the removal process is 
0{N). The system is secure against collusion of the removed users provided that 
Diffie- Heilman problem is hard. 

Proof. Each user needs to store the shadows of the sibling of node keys along 
his path to the root, which is log 2 N since we assume that the tree is binary 
and balanced. We know that in the removal process the shadow of a node key 
might need to be multicasted to the children of the sibling of that node. If such 
multicasting is performed by a user with respect to each node along his path to 
the root, then that user needs to make log 2 N multicast transmissions. On the 
other hand, the total number of leaves and nodes in a binary tree, except the 
root node, is 



E ^ E (1/2)^-^ = N{ 



1 - (1/2)'°S2^ 

1 - 1/2 



That means that the total number of transmissions in the removal process is 
bounded by 2N — 2. 

Next, we show that it is computationally infeasible for collusion of all the 
removed users to find updated node keys and session key. From Diffie-Hellman 
key exchange protocol, we know that knowing the shadow of a key, it is infeasible 
to find the key itself. So any subgroup of users, even if they collude, only know 
the node keys along their paths to the root. Assume S is the set of users to 
be removed from the group. During the removal process all the node keys and 
the session key that were known to the members of S, are updated. Although 
the removed users know the shadows of some keys from 14 \S, the difficulty of 
Diffie-Hellman problem guarantees that this information will not help them in 
finding the new session key. 



The structure of the tree shows that the root key (i.e. session key) is known 
to all users, and each node key is known by two or more users. This is true 
because the shadow of a node key is multicasted once by one user whose path 
passes through that node. There are 2N — 2 shadows to be multicasted which 
can be shared by all N users. Thus we have the following corollary. 



Corollary 1. The average number of transmission for each user is \{2N — 
2)/N] = 2. 



5 Performance Comparison 

In this section we summarise and compare performance of our proposed schemes 
to that of the trivial scheme. Recall that the trivial scheme is constructed from 
multiple copies of a single controller scheme (section 2). In this comparison, we 
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construct the trivial scheme based on the schemes of Fiat-Naor [8], Wallner et al 
[16], and Chang et al [4]. For efficiency comparison, we focus on performance in 
terms of the proportions of bandwidth, round, and storage required to update 
the session key. Bandwidth is measured by the total number of messages where 
one message contains only one key. The messages might be sent in one round or 
multiple rounds. Storage is in term of the number of keys a user has to keep. 

For security comparison, we concentrate on the size of removal and rounds of 
removal. Size of removal is the number of users that is removed in one key update 
such that collusion of the removed users cannot break the security of system. 
Rounds of removal means the number of times the key update procedure can be 
employed while the system remains secure. 



Table 1. Performance Comparison 





Proposed Schemes 


Trivial Scheme, based on \ 


First 

Approach 


Second 

Approach 


Fiat-Naor 

[8] 


Wallner et al 
[16] 


Chang et al 

[4] 


Bandwidth 


O(logAT) 


L:0, \J-.0(N) 


O(logAT) 


L:0, V:0{N) 


L:0, U:0(Af) 


Round 


1 


L:0, U:log A 


1 


L:0, UdogTV 


L:0, V:\ogN 


Storage 


O(logAT) 


O(logW) 


0(N log N) 


0{N log N) 


0(N log N) 


Size of removal 


up to t 


up to N 


up to t 


up to N 


1 


Rounds of removal 


Single 


Multiple 


Multiple 


Multiple 


Multiple 



Note: L — Lower Bound; U •= Upper Bound 



Bandwidth usage of the trivial scheme can be obtained from that of the single 
controller scheme. Both schemes of Wallner et al and Chang et al have lower 
bound 0 and upper bound 0{N) for bandwidth complexity for removing users. 
This can be proved similar to Theorem 2 and in section 4.3. Round complexity of 
the trivial scheme follows from that of the single controller scheme. User storage 
of the trivial scheme equals to iV — 1 times storage of a leaf user, plus the 
storage of the controller in single controller scheme. Therefore, user storage of 
the trivial scheme constructed from Wallner et al scheme is 2N + {N— 1) log(iV — 
1) « 0{N log N) and that of Chang et al is 21ogfV + {N — 1) log(fV — 1) « 
0{NlogN). Size and rounds of removal of the trivial scheme follows that of the 
single controller scheme. Hence, the obvious advantage of our approaches is the 
reduced user storage. 

6 Conclusion 

We considered the problem of constructing a dynamic group controller in a 
multicast environment. As we pointed out in section 2, this construction can be 
achieved by employing a trivial scheme. However, the resulting solution will be 
inefficient, in terms of key storage. We proposed two new approaches, one based 
on key distribution patterns, and the other based on key hierarchy structure and 
showed that they achieve better efficiency compared to the trivial one. We also 
evaluated the efficiency and security of our proposed schemes. 
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Abstract. All human interaction is based on trust, meaning that we 
choose interaction partners and make commitment decisions based on 
how much we trust the other party. Digital certificates and public-key 
infrastructures represent an attempt to mimic real-world human asses- 
sment of identity and trustworthiness in an automated and mechanical 
fashion, but present implementations are based on a very limited trust 
model making them inadequate as a general tool for trust assessment 
and decision making. This paper describes public-key infrastructures in 
general and discusses issues related to trust management of public-key 
infrastructures. 



1 Introduction 

Public-key cryptography solves security problems in open networks but crea- 
tes key management complexity. Digital messages can for example be signed by 
a private key allowing anyone with access to the corresponding public key to 
verify that the message is authentic, but this principle depends on the authen- 
ticity of public keys and the problem boils down to finding a method for secure 
distribution of public keys. 

Public-key infrastructures (PKI) simplify key management and distribution 
but creates trust management problems. A PKI refers to an infrastructure for 
distributing public keys where the authenticity of public keys is certified by 
Certification Authorities (CA). A certificate basically consists of the CA’s digital 
signature on the public key together with the owner identity, thereby linking the 
two together in an unambiguous way. In order to verify a certificate the CA’s 
public key is needed, thereby creating an identical authentication problem. The 
CA’s public key can be certified by another CA etc., but in the end you need 
to receive the public key of some CA out-of-band in a secure way, and various 
solutions can be imagined for that purpose. 

However, there is a problem in this design. What happens if a CA issues a 
certificate but does not properly check the identity of the owner, or worse, what 
happens if a CA deliberately issues a certificate to someone with a false ow- 
ner identity? Furthermore, what happens if a private key with a corresponding 
public-key certificate is leaked to the public domain by accident, or worse, by 
intent? Such events could lead to systems and users making totally wrong as- 
sumptions about identities in computer networks. Clearly CAs must be trusted 
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to be honest and to do their job properly and users must be trusted to protect 
their private keys. Trust management includes methods for assessing policies 
regarding issuance and handling of public-key certificates and for determining 
whether these policies are adhered to by CAs and users, with the purpose of 
making decisions related to on-line activities. 

2 Public Key Infrastructures 

Internet users can not base their judgements about identity of remote parties 
on faces or familiar voices, meaning that electronically received information a 
priori can not be trusted. Instead public-key certificates combined with public- 
key cryptography can be used to authenticate identity and message origin. 

2.1 Certification Chains 

The first certification system in any standard was the X.509vl Authentication 
Framework[l], designed by CCITT/ITU for the purpose of securing the X.500 
Directory[2] and intended to work with a hierarchy of certification authorities. 

X.509vl has been further developed into X.509v2 and X.509v3 in order to 
overcome weaknesses in the earlier versions, and X.509v3 is the basis of the IETF 
PKIX working group which is aiming at developing a general purpose public key 
certification infrastructure for the Internet. The format of X.509 certificates is 
illustrates in Fig.l. 




Fig. 1. X.509 certificate with extension part 



The X.500 Directory was never adopted by the Internet community because 
it and the corresponding Directory Access Protocol (DAP) [3] were seen as too 
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complex for simple Internet clients to use. Instead LDAP (Lightweight Direc- 
tory Access Protocol) [4] which is a relatively simple protocol for updating and 
searching directories running over TCP/IP is used. 

The X.509 standard is often vague and open-ended, which means that an 
additional X.509 certificate profile is required in order to implement certificate 
handling on a real system. Since the original X.509 certificate format was speci- 
fied to fit with the original X.500 directory which is no longer used, the format 
contains a number of more or less redundant fields. In the main body only “Va- 
lidity”, “Public key” and “Digital signature” are really needed. “Issuer name” 
and “Subject name” are still used, but they are interpreted as general names 
rather than entries in a directory. Apart from that everything else is found in 
the extension part. 

In order for two users to verify the authenticity of each others public keys it is 
sufficient that there exists a certification path between them. A certification path 
is an ordered sequence of certificates which together with the public key of the 
initial certificate in the path can be processed to obtain the public key contained 
in the final certificate in the path. The rules for certification path validation are 
quite complex depending on what extensions are in the certificate. See e.g. [5] 
for examples. 

2.2 Certification Hierarchies 

Certification between nodes is directed from the certifier to the owner of the 
certified key. Certification is unidirectional when an agent X certifies the public 
key of another agent V, and bidirectional when the agents X and Y certify each 
others public keys. In the PKI jargon “certifying a user” means “certifying the 
user’s public key”. Chained certification can form different topologies. 

Strict Hierarchy. Most commercial PKIs are strict hierarchies, as illustrated 
in Fig. 2, and most only consist of one or two levels. The certification paths go 
strictly from the top root CA, eventually via intermediate CAs, and down to 
users, where the users are assumed to be certified by the leaf nodes. 




Fig. 2. A strict certification hierarchy 



In a strict hierarchy all users can be easily identified and found because of 
the hierarchic structure. A user must know the public key of the top root in 
order to resolve certificate chains and establish a certification chain to any other 
user in the hierarchy. 
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General Hierarchy. A general hierarchy includes two-way certification bet- 
ween CAs, as illustrated in Fig. 3. 




Fig. 3. A general certification hierarchy 



When certification takes place in both upwards and downwards direction, 
each user will only need to obtain an authentic copy of the nearest CA’s public 
key, while still being able to establish a certification path to every other user in 
the network. The X.509 standard [1] suggests a general hierarchy of this type, 
but no commercial PKI uses this topology. 



Anarchic PKI. The opposite to a hierarchic structure is an anarchic structure 
where each CA (and user) is free to choose which other CAs (and users) it wants 
to certify, as illustrated in Fig. 4. 







Fig. 4. Anarchic certification structure 



The anarchic structure corresponds to the Web of trust on which PGP [6] 
is based. It consists of unidirectional and/or bidirectional certification between 
arbitrary agents. There is in principle no difference between users and CAs. 
The disadvantage of an anarchic certification network compared to a hierarchic 
structure is that there exists no simple algorithm for identifying certification 
paths between all users of an anarchic network, whereas such algorithms exist 
for hierarchic networks. A user must obtain as many public keys as possible in 
order to establish certification chains to other users. 




PKI Seeks a Trusting Relationship 



195 



Isolated Hierarchies. Many PKIs can exist in parallel without being linked 
to each other as illustrated in Fig. 5. 




Fig. 5. Isolated certification hierarchies 



A user must obtain the root public key of every PKI in order to verify cer- 
tificates of users in all hierarchies. Users belonging to hierarchies with unknown 
root can not be identified. 

PKIs used for the Internet Web consists of isolated strict hierarchies, and is 
in fact a topology of this kind. The root public keys are stored hard-coded in 
the most popular Web browsers. There are about 50 root keys delivered with 
Netscape Communicator release 4.6 or Microsoft Internet Explorer release 5.0. 

Cross Certified Hierarchies. In order to avoid requiring that users acquire 
several public keys the hierarchies themselves can be cross certified as illustrated 
in Fig. 6. In case the hierarchies are strict it is sufficient that a user obtains an 
authentic copy of the own root’s public key while still being able to establish a 
certification chain to any user in any hierarchy. 




Cross certification between PKIs would simplify the distribution of root pu- 
blic keys, and would make PKIs truly open. The main problem opposing this 
development is that CAs in general have incompatible policies whereas cross cer- 
tification requires some sort of policy alignment. A government can for example 
enforce a common policy and cross certification between all PKIs used by the 
public administration, but spontaneous cross certification between commercial 
PKIs has so far not been widespread. 
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3 PKI Management 

The cryptographic aspects of PKIs are relatively well understood. The deploy- 
ment of PKIs on the other hand requires management, and so far we have seen 
the emergence of two types of PKI management. 

3.1 Web PKI 

For Web PKIs the root public keys are hard-coded in Web browsers as self signed 
X.509v3 certificates, i.e. the public key has been certified by the corresponding 
private key. The only purpose of self certification is to simplify the certificate 
handling; the browser only needs to deal with certificates. Self certification provi- 
des no additional trust in the public key, and as such the term “self certification” 
can be misleading. 

Since root certificates are hard-coded in the browsers they can not easily be 
upgraded. Root key management must in fact follow the pace of browser releases 
and distribution. Not only must changes be implemented in the next release of 
the most popular browsers, the users also have to upgrade the browser on their 
computers to the newest release. If for example public key revocation shall be 
useful it must be possible to enforce it relatively rapidly. Because this is not 
possible for root certificates it is in practice not possible to revoke them. 

The most widely used application is presently to establish encrypted connec- 
tions using the SSL protocol[7]. Another popular application is email encryption 
based on the S/MIME [8,9] standard which consists of digitally encrypting the 
body (and not the head) of email messages. A third application is for digitally 
signing SW components. The security problem users are facing regarding active 
components such as Java applets and Microsoft’s ActiveX components is whether 
such imported programs can safely be executed. One way this can be solved in 
Web browsers is to have the components digitally signed by the manufacturer’s 
public key which previously has been certified by a CA. This only indicates the 
SW manufacturer’s identity and does not say whether it is safe to let the SW 
component be executed. 

3.2 Managed PKI 

In contrast to Web PKIs, a managed PKI does not distribute root public keys 
piggy-backed with Web browsers, but is based on separate out-of-band proce- 
dures managed by the organisation that operates the PKI. This organisation 
usually operates CA servers from which user certificates can be down loaded. 
Managed PKIs are operated by an organisation to meet specific needs within the 
organisation or as a business activity. The organisation will have full control over 
the trust structure in the PKI hierarchy, but without being Web-born managed 
PKIs do not easily get global coverage. Managed PKIs can provide high trust 
and thus be suitable for high value transactions. 
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Organisations operating managed PKIs can decide to, or be enforced by 
law in a particular country, to establish cross certification to other managed 
PKIs and in that way create a PKI consisting of several interlinked certihcation 
hierarchies. 

Secure distribution of the root public key is essential for managed PKIs, and 
a typical solution is to equip each user with a smart card containing the users 
private key in addition to the root public key. 



4 Trust Management 

It is assumed that trust is a belief based on knowledge, experience and percep- 
tion. In the physical world trust in things and in other people is based on our 
experience with them, information we have received about them and how they 
appear to us. All this makes trust a very subjective phenomenon, meaning that 
I don’t necessarily trust the same things or the same people as you and vice 
versa. The number of people we can potentially relate to within a physical world 
is also limited by distance and physical constraints. In the cyberworld on the 
other hand the number of people we can potentially relate to is only limited by 
the number of people that are on-line. 

Cryptography can be interpreted as a mechanism for transferring trust from 
where it exists to where it is needed. For example if you initially trust the aut- 
henticity of a public key and you verify a messaged signed by the corresponding 
private key, then you will also trust the authenticity of the message. As such 
certihcates and PKIs do not create trust, they merely propagate it, and users 
must initially trust something. Initial trust is traditionally established off-line, 
i.e. in the physical world, but it is perfectly possible to get experience and gain 
trust purely through on-line activities. 

The challenge is to hnd a good method for making trust assessments about 
potential remote transaction partners in computer networks. A transaction part- 
ner can be someone you already know but it can also be someone who is totally 
unknown and with whom you have never interacted before and with whom you 
might never interact again after the transaction. 

Trust assessment must be based on some initial trust combined with trust 
propagating mechanisms, and should provide a basis for decision making. Trust 
management is about all that, and can be dehned as activity of making trust 
assessments by collecting, analysing and codifying relevant evidence with the 
purpose of making trust based decisions. The number of potential transaction 
partners on the Internet is presently around 100 million and the goal must be 
to make trust management schemes scalable to that size. 
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4.1 Certification Policies and Certification Practice Statements 

The degree to which users can trust the binding between the public key and the 
owner identity stored in a certificate depends on several factors, including the 
practices followed by the CA in verifying the identity of the owner, the CA’s 
operating policy, procedures and security controls, the owners obligations e.g. 
regarding secure storage of the private key, and legal obligations of the CA such 
as e.g. warranties and obligation limitations. 

According to X.509 a certification policy is “o named set of rules that indi- 
cates the applicability of a certificate to a particular community and/ or class of 
application with common security requirements'' [1]. To the degree that a certifi- 
cation policy exists or is applicable to a particular application it provides users 
with evidence for assessing the trustworthiness of certificate issued by CAs that 
adhere to the policy. 

A more detailed description of the practices followed by a CA can be found 
in its Certification Practice Statement (CPS). According to the American Bar 
Association Digital Signature Guidelines “o CPS is a statement of the practices 
which a certification authority employs in issuing certificated' [10]. The CPS 
defines under what conditions certificates are issued and which liabilities the 
CA takes on itself and which are put on the user. Usually a CA offers different 
certification classes with varying degree of confidence in the key-to-owner binding 
with the purpose of being suitable for different applications. The general principle 
is: The higher the confidence, the more thorough the identity verification before 
issuing a certificate. For commercial CAs it can be added that the price you pay 
for a certificate increases with the confidence level. 

The concepts of certificate policy and CPS were developed by different bodies 
for different reasons. A CPS is very specific and usually applies to a single CA 
whereas a certificate policy is more general and is intended to be applicable to 
larger domains. 

Computers do not understand policies and CPSs although some attempts 
are being made for that purpose by including a certification policy extension in 
the X.509 certificate together with policy constraints and policy mappings. The 
certification policies extension in its minimal form provides a means of identifying 
the policy a certificate was issued under. 

The idea behind the policy constraints and policy mappings is that the ap- 
plication can automatically check and enforce them at run time, for example by 
checking that the certificate policy corresponds to the application policy or that 
the certification policies of certificates in a chain are compatible. This of course 
requires standardised policies and constraints, and although seemingly difficult 
to achieve it would create several new possibilities. 



4.2 Trust Management for the Web PKI 

Unfortunately the notion of certificate policy does not exist for the Web. Pri- 
marily it would be rather difficult to define a policy that satisfies all user com- 
munities as well as all present and future applications, and secondly if such a 
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policy could be defined it would probably be too general to be useful to anyone. 
Instead each CA that operates on the Web has its own CPS. 

If it shall be meaningful for a user to trust a PKI based on the trust in the 
root CA, then the CPS strength of intermediate CAs must be equal or increasing 
downwards in the hierarchy. In the same way, if it shall be meaningful to trust 
other cross certified PKIs based on the own root CA, then the CPS strength 
in other PKIs must be equal or greater. However, CPSs are usually difficult 
to compare unless they are accredited against an industry standard policy and 
can not be translated into a one-dimensional measure. It is therefore difficult to 
establish cross certification between PKIs, and as a result the Web PKI consists 
of isolated hierarchies, but because the public keys of all root CAs are hard-coded 
and distributed with the Web browsers cross certification is not really needed. 

When accepting a certificate the user should really check the corresponding 
CPS, and if applicable the certification policy, to see what the certificate is worth, 
but because this would require the user to read a document of at least 10 pages 
each time a secure Web site is visited it is hardly ever done. The trust model of 
the Web PKI is more the result of the need for a business model than the need 
for good trust management. 

The advantage for the major browser manufacturers is that they can provide 
CAs with global coverage by distributing the CA root public keys hard-coded 
in the browsers, the advantage for the CAs is that they can provide Web server 
operators with global acceptance of their server certificates, and the apparent 
advantage for the users is that they get a Web interface that anyone is able to 
use and that hides the complexities of the underlying cryptographic mechanisms. 

A problem with this model is that distribution of root keys is linked to 
the distribution of particular Web browsers. As already mentioned the present 
implementation of PKIs in Web browsers does not allow certificate revocation 
and thereby represents a time bomb. If a private key is leaked to the public 
domain the corresponding certificate can be misused by anyone in order to set 
up false secure Web sites, send false email messages or distribute malicious SW 
under false name, and tragically there exists no simple way of stopping such 
attacks even after they have been reported. Another problem is that the Web 
interface provides very poor trust management to the user. In order to trust a 
secure Web site, an encrypted message or a digitally signed SW component only 
the identity of the certificate owner identity and the CA identity are available 
to the user. The user can only make an informed decision if both are known, 
but is left totally in the dark in case they are not. The browser interface usually 
presents dialog boxes but experience shows that users find dialog boxes annoying 
and tend to blindly click “yes” or simply turn off the security settings in order 
not to be interrupted by dialog boxes anymore. The following section describes 
potential consequences of these problems. 



4.3 The SSL Attack 

In order for a user to trust that something is authentic he or she must be pre- 
sented with some evidence that can be correctly interpreted. For the purpose of 
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verifying the authenticity of Web servers SSL represents a strong authentication 
mechanism, but unless the evidence of this verification is intelligibly presented 
to the user the mechanism can be quite useless. 

Assume a user A who wants to access Web services from secure server B which 
for example can be a bank providing financial transaction services for its clients. 
In the normal scenario, client A points his Web browser to bank B’s Web site. 
The Web server returns B’s certificate Certs to A’s browser which verifies the 
certificate using the pre-stored public key of the root CA that generated Cert s . 
After successful certificate validation A’s browser continues the communication 
with B in secure SSL mode. 

Fig. 7 below shows user A’s client machine on the left and bank B’s server on 
the right side. We will show that the intruder T in the middle is able to make 
both A and B think they are communicating with each other although they in 
fact communicate with T. 





Fig. 7. Attack on SSL authentication 



In the attack, the intruder Web server T acts as a relay between A and B 
passing the HTML pages from B to A and the requests from A to B. For the 
attack to work user A must be fooled into pointing her browser to T instead 
of to B. This can for example be done by placing a false URL on a portal 
until somebody accesses T from it in the belief that he or she accesses B. After 
a successful attack, the false URL can be removed in order not to leave any 
evidence of where the attack came from. 

It is assumed that the intruder T has obtained a valid certificate Certp, 
either by buying it or because a private key with a corresponding certificate 
has been leaked to the public domain. When the client A has established a SSL 
connection to the intruding server T using T’s certificate, the intruding server 
establishes a SSL connection to the bank B using the bank’s certificate Cert^ 
and simply relay the data sent by A and B to the opposite sides via two different 
SSL connections, including possible user passwords, so that A and B think they 
communicate with each other. When A sends a request to transfer money from 
her own account for paying a bill, T is able to modify the destination account 
number and the amount. 



PKI Seeks a Trusting Relationship 201 



When a secure SSL connection is established the server is supposed to be 
authenticated by the client, as indicated by the key or the padlock icon on the 
browser window. However, this only indicates that something is authenticated 
and not what in particular, which for all practical purposes means that nothing 
at all has been authenticated. The blame for this vulnerability can of course be 
put on poor interface design, but the problem is also related to user awareness, 
and technology can only help making awareness easier to practice. 

The browser does allow viewing a certificate by clicking on the padlock icon, 
but users hardly ever do this, and even security aware users who view the certifi- 
cate when accessing a secure Web site can have difficulty in judging whether the 
information on the HTML page has been sent by the owner of the certificate. 
The system interface should make it easy to view, understand and believe in 
certificates. Requiring the user to explicitly make several extra mouse clicks in 
order to view a certificate that is hardly intelligible is simply not good enough. 

A better user interface can be based on including the server company logo in 
the certificate and let the interface always display it when a secure connection 
is established. This will allow a quick visual check anytime without extra mouse 
clicks in order to verify the server identity. Alternatively an audible message can 
be included in the certificate and played to the user. However, users might not 
pay any attention to these features after a while, so that the problem of user 
awareness will not go away. All we can do is to create a system interface that 
helps users to be more aware. 

5 A Better Trust Management 

Some of the problems persisting in present PKI implementations include: 

Computers don’t understand the semantics of a policy. 

A certificate policy or a CPS is a piece of rather lengthy and complex prose 
text that can only be read by humans. It would be desirable to be able to 
specify certificate policies in such a form that they can be interpreted by 
computers in an automatic and mechanical fashion. 

Cross Certification Requires Equal Policies. 

If it shall be meaningful to trust the root CA in a PKI as a representative 
of cross certified PKIs then the policy strength must equal in both PKIs. 
However, “policy strength” is a multi-dimensional measure that is difficult to 
match. Cross certification is therefore difficult to achieve unless the policies 
themselves are equal. 

PKIs do not handle trust dilution. 

Real-world trust is intuitively diluted in a chain of recommendations, but 
present PKI implementations only provides a binary trust model. 

PKIs do not take into account parallel certification paths 
Real world trust is often based on multiple recommendations. It would be 
useful to have something similar in PKIs but present implementations only 
handle single certification chains. 
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PKIs give little support for decision making. 

PKIs give little support for answering questions such as e.g.: “for a given 
certification path and a given user what is the upper transaction value you 
are willing to risk? ” and “For a given transaction how can you select the 
transaction partner that will minimise your risk? 

5.1 Including Subjective Trust Measures in Certificates 

One possible solution is to include subjective measures of trust within a certifi- 
cate and combine these parameters in order to deduce trust in remote users and 
systems. Such a trust measure can represent the policy within the certificate in 
addition to trust in the reliability of CAs and users themselves, can be under- 
stood by humans and can be automatically handled by computers. In addition, 
trust dilution can be handled by combining trust measures in series and trust 
from multiple certification paths can be combined in parallel. It would allow 
cross certification can be established between arbitrary pairs of CAs by simply 
specifying within the certificate how much one CA trusts the other. Finally trust 
measures can be combined with transaction utility functions in order to support 
decision making. 

This type of trust model is for example described in [1 1] . Unresolved problems 
related to this model is how users can consistently determine subjective trust 
measures. Another problem is that the trust measures are communicated to 
other users and thereby can not be kept confidential whereas a CA might not 
want to disclose that it distrusts users or other CAs. Finally CAs might not 
want to make any explicit statement about trust in other CAs as it might imply 
liabilities. 

5.2 Policy Alignment 

A common misnomer with X.509 based PKIs is that CAs are making statements 
about trust when issuing a certificate. In most cases, a CA is merely following 
a defined procedure and evaluating objective evidence to determine a binding 
between a public key pair and the issue of whether to trust this user is one 
that the relying party must resolve, based on their subjective judgements about 
the statements and policy made by the CA. This is particularly important in 
the case of certification chains, which are usually not “chains of trust” as some 
PKI literature suggests, but are in fact simply a series of signed statements 
by CAs that attest to a binding between keys and some objective evidence as 
determined by following the process outlined in a particular policy and CPS. It 
is believed that the commercial nature of most CAs precludes them from making 
subjective statements, as this exposes them to too much risk. Contrast with the 
PGP system which is based on meeting the needs of small communities of users, 
and where users are much more likely to make statements about trust. 

One of the biggest problems for users when evaluating policy chains is the 
problem of ensuring equivalent policies across all links of the chain. The approach 
taken by X.509 is to specify a path validation algorithm that requires that all 
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certificates in a chain contain the same policy identifier, or a policy that has 
been “mapped” to an equivalent policy using the policyMappings extension. 
This approach reflects the general philosophy of X.509, which tends towards a 
centrally managed design. This is also consistent with related work such as the 
NIST PKI architecture [12] and work being done in the Australian Standards 
working group IT/12/4/1 to develop an architecture for PKI systems [13]. Both 
these approaches have an architectural model which consists of a hierarchy of 
components consisting of the following: 

~ A Policy Approval Authority (PA A). This is a root authority whose 
job is to approve the policies of other entities in the hierarchy. Note that the 
PAA itself does not assert any policy, it simply issues a self-signed certificate 
that must be trusted by some out of band means. The PAA will most likely 
be a statutory body created by a government and will operate according to 
a particular set of rules. 

— A Policy Creation Authority (PCA). The role of the PCA is to act as a 
policy creation body of a community of users. An example would be a group 
of banks who get together to decide on a common policy for retail/wholesale 
banking. These banks would form a single entity - a banking PCA, that 
was responsible for setting policy in the banking sector. The PAA would 
then approve the policy(s) set by this PCA by issuing it with one or more 
certificates asserting the policy identifier. 

— Certification Authorities. The CAs will issue certificates under one or 
more policies. These policies may have been set by a PCA, or they may be 
specific to the CA (either with an approved policy - i.e. the CA is acting 
as a PCA, or an unapproved policy - i.e. the CA is operating outside the 
architectural model). 

This paradigm encourages users to trust the PCA to set an appropriate 
policy for the domain of application. The user simply selects the policy identifier 
defined by the PCA for the given application and trusts that the infrastructure 
and requirements set up by the PCA and PAA are such that the policy will be 
appropriate, and that CAs operating under that policy will behave appropriately. 
In a sense the user is deferring some of their trust to the infrastructure. This 
is definitely appropriate in many cases, we tend to rely on our legal, and socio- 
political systems to a large extent when conducting commerce in the real world, 
so it only seems natural to translate this into the electronic world. 

However, there are also a number of problems with this model. Many gover- 
nments (including Australia’s) have punted on the idea of setting up a PAA. 
This seems largely due to the perception of this body as being a huge liability 
risk due to the large amount of damage possible from compromising the PAA’s 
private keys. The absence of a PAA favours a disjoint model, with a number of 
PCAs acting as root authorities for their community of interest, and requiring 
the user to obtain the public keys/self-signed certificates of each of these CAs 
by out-of-band means. 

In addition, it makes the issue of cross-certification quite difficult. In order 
to cross-certify, two CAs must agree to mark each other’s policies as equivalent. 
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However, it is more than likely that this will not be the case. X.509 contains 
a number of mechanisms for parent CAs to prevent sub-ordinate CAs from 
doing this. They can inhibit the ability for child CAs to do policy mapping, 
and they can restrict the certification path such that a subordinate CA can only 
issue certificates to end-entities and not to other CAs. It is more than likely 
that cross-certification would have to occur at the level of PCAs to enforce the 
policy. This can also be used to enforce commercial limitations on CAs. For 
example, a commercial CA with it’s root keys embedded in the browser sells a 
cross-certification service so that another CA can issue certificates that do not 
require browser bootstrapping. However, this CA is unlikely to want to allow 
the subordinate CA to then resell this service to other CAs and so will seek to 
limit the subordinate CA to only issuing end-entity certificates. 

Another criticism is that while a single policy identifier is enforced across 
multiple CAs, there are clearly different roles being played by each certificate in 
the chain. For example: 

— The PAA will issue a self-signed certificate containing its public key. As 
noted this is simply a convenient mechanism for “bootstrapping” the certi- 
fication path, and therefore asserting a policy in this certificate is basically 
meaningless. 

— The PAA will then issue a certificate to the PCA asserting the policy identi- 
fier which the PCA has created. This certificate is a statement in effect that 
the PAA “approves” this policy for use within its framework. 

— The PCA will then issue a certificate to one or more CAs asserting the 
policy identifier it has created. This certificate is a statement that the CA 
identified is authorised to operate within the community of interest that the 
policy defines. 

— The CA issues a certificate to an end-entity. This certificate is a statement 
that the CA has followed the rules of the policy as they relate to registration 
of users, and has verified the binding between the user and their public key. 

While these roles are very different, they are essentially implicit semantics, 
and the only thing that the user knows is that the certificates have all been 
issued under the same/equivalent policy. The user must simply trust that the 
framework that exists has ensured that the ordering of CAs in the chain is 
appropriate to their function. 

While this may be appropriate in some instances, it makes it difficult to build 
ad hoc relationships, and it means that information is lost in the process. This 
is particularly problematic in the case of cross-certificates. 

What is needed is a way for the information about policies to be expressed in 
a standard interpretable way such that a relying party can make all the decisions 
about whether policies are equivalent, and whether they are appropriate for a 
given application. It is after all, the relying party who has to bear any risk about 
who/ what they trust. 
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6 Conclusion 

A public-key infrastructure is technically seen a structure of cryptographically 
linked data objects that can be transmitted through a data network and from 
which public keys can be extracted. However, extracting public keys and using 
them in security applications is only meaningful if the public-key infrastructure 
is linked to a corresponding trust structure, and for this purpose trust manage- 
ment is needed. Trust management can be defined as the activity of making trust 
assessments by collecting, analysing and codifying relevant evidence, with the 
purpose of making trust based decisions. Trust models in present PKI implemen- 
tations are too limited for providing users with trust management facilities, and 
possible solutions include more rich trust models and standardised certificate 
policies. 
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Abstract. In this article we look at some of the problems associated 
with trying to provide a specification for a Public Key Infrastructure 
(PKI). We focus on the PKI profile that has been proposed for use with 
the Internet, known as PKIX (PKI using X.509 certificates), to provide 
a specific example. Our intention is to add value to this and other spe- 
cifications by providing a more formal description and a framework in 
which to develop path validation procedures. We take the path validation 
algorithm in PKIX and give a formal description of the actions and pro- 
perties it defines. In this way, the essential aspects can be captured and 
clearly formulated, which would facilitate the testing of implementations 
in a more rigorous and well defined way. 



1 Introduction 

There is a global movement towards using public key technology within a Public 
Key Infrastructure (PKI) to support secure digital communications (for example: 
electronic commerce and secure messaging) . Details on public key cryptosystems 
can be found in [19] or [4]. In order to use public key cryptography, it is essential 
to make the public key available to those one wishes to communicate with in 
a trusted way. Certificates are created by Certificate Authorities (CAs) and 
are used as the vehicle to transport public key details. The CA attests to the 
correctness of the information in the certificate by signing the certificate (this 
also protects the information from being altered thereafter). The certificate is 
verified by checking the signature, in which case a valid copy of the public key of 
the CA is required. In a large PKI, multiple CAs may be required with chains of 
certificates and even possibly multiple trust points, i.e., multiple trusted public 
keys. 

The Internet Engineering Task Force (IETF) is involved in guiding the evo- 
lution of the Internet and is the main organisation involved in developing In- 
ternet Standard specifications. Agreement on content and meaning is arrived 
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at through a process involving both informal and formal discussions along with 
Working Groups (WGs) and a series of draft publications from which the final 
Request For Gomment (RFG) is distilled. The process is sometimes described 
as forming a “rough consensus” on the appropriate content and meaning. The 
RFGs that form part of an effort towards standardisation need to be clear as 
well as being inclusive and accessible requirements that are often at odds. This 
type of problem also arises with most other standardisation efforts. 

In this article we are interested in the PKI profile outlined in RFG 2459, 
which is concerned with standardising a Public Key Infrastructure (PKI) for the 
Internet, see [6] . The PKI described in that document is known as PKIX as it uses 
the ITU-T X.509 version 3 (X.509) certificate format [20]. Our main focus is the 
path validation protocol from Section 6 of [6] , which consists of an algorithm used 
as a specification in the following way: “implementations are required to derive 
the same results but are not required to use the specified procedures”. Such a 
specification could lead to varying definitions or interpretations of conformance. 
In fact, there are already a number of problems, such as those we mention below, 
arising from this approach. 

The English language is wonderfully expressive: a single word or phrase is 
able to convey many different meanings. This is why it is unsuitable on its own 
for providing a precise specification. When only a natural language specification 
is given, it is probable that there will be different interpretations which all meet 
the specification, although they may logically be different. General examples 
of this type of problems are widespread. Such problems should be considered 
seriously for documents that are expected to become global standards involving 
the transfer of trust. In mid 1999 a defect report [3] was filed concerning the 
X.509 standard. A number of defects were identified, some of which were serious 
and could cause incorrect acceptance of certification paths. Due to the wide 
acceptance of X.509 this affects a number of other standardisation efforts, like 
PKIX. The PKIX WG is working on a new version of RFG 2459 (this draft is 
available from http://www.imc.org/draft-ietf-pkix-new-partl), hoping to 
anticipate the changes to X.509. The PKIX document is therefore important as 
it indicates the likely direction for all standards relying on X.509. 

It has also been recognised that interoperability problems have occurred with 
S/MIME products, see [11]. It is argued that the looseness of the S/MIME spe- 
cification has led to the development of a number of compliant but nonetheless 
non-interoperable products. It is likely that such problems will occur with PKIX 
as well, the extent of which will be realised as products being to appear. Although 
example conforming certificates are given with PKIX there are no example con- 
forming certification paths. It could be argued that example certification paths 
would provide such narrow coverage of the possible cases so as not to warrant 
inclusion. Whether the reader agrees with this or not it is clear that the absence 
of examples makes a clear specification even more important. Most specificati- 
ons of the IETF are supported by descriptions in natural language, as well as 
more formal descriptions and examples. This approach is supported by the IETF 
document guidelines. Requiring technical knowledge of the audience is largely 
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unavoidable in these areas, thus making the exclusion of technical descriptions 
less relevant. 

Experience with implementing PKIX path processing, in particular with re- 
gards to the more exotic parts such as policy and constraints, is not yet well 
developed. Due to the slower than anticipated progress in PKI development, 
most implementations can, at present, ignore these more difficult areas and fo- 
cus on basic path processing. However, in this case they do not necessarily meet 
PKIX compliance requirements. As an example, Cryptlib [2] does implement 
the policies and constraints extensions. The following comment is taken from 
the cryptolib code: “Policy constraints are the hardest of all because, with the 
complex mishmash of policies, policy constraints, qualifiers, and mappings it 
turns out that no-one actually knows how to apply them.” Perhaps the PKIX 
specification is silent in areas where it should not be. 

As is well known, formal methods can provide strict proof technologies for 
verifying critical properties of a system in a precise and unambiguous way, and 
also guide the developer towards a design of the security architecture of the 
system and its implementation. In this article we take the PKIX path validation 
algorithm and give a formal description of some of the actions and properties it 
defines. In this way, the essential aspects of the certification path validation can 
be captured and clearly formulated, which would facilitate the testing of other 
implementations in a more rigorous and well defined way. A formal description of 
precisely what is required for conformance could also assist implementers during 
the design phase. We are not suggesting that our specification replace the one 
already given in RFC 2459 but that it may be used to improve clarity. As part 
of our examination, a framework for path validation is developed that would be 
applicable to PKIs in general. 

The paper is organised as follows. In Section 2 we provide a brief backgro- 
und to the PKI elements described in RFC 2459 relevant to our discussion. In 
Section 3, we present a framework for path validation, in which three categories 
of path validation checks are identified. Section 4 discusses formalisation of the 
path validation algorithm in Isabelle/HOL, and presents the essential theories 
used for path validation. In particular we provide a framework function to imple- 
ment those interactive calculations in a path validation procedure, and propose 
a formal technique applied for modelling PKIX path validation. Section 5 talks 
about the benefits of our approach. The last section concludes this paper with 
a brief discussion about possible future work. 



2 Preliminaries 

We do not give general descriptions of PKIs, certificates. Certificate Authorities 
(CAs) or the certification process. For these we refer the reader to Ford and 
Baum [4] . We also assume that the reader is familiar with the use of certificates 
to convey public keys, especially those associated with digital signature services. 
PKIX itself contains a description of its relationship to different PKIs such as 
Privacy Enhanced Mail (PEM) and use of earlier versions of X.509. 
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A detailed description of the certificate fields used by PKIX is given in [6] 
but we include a short description of the fields of interest for the convenience of 
the reader. 

A X.509 certificate is a sequence containing the following three fields: 

- tbsCertif icate: a sequence of further fields over which the signature is 
calculated; 

- Algorithmidentif ier: identifies the public key algorithm which has been 
used to sign the tbsCertif icate; and 

- SignatureValue: the actual signature calculated over the tbsCertif icate. 

The tbsCertif icate itself contains the following sub-fields of interest to our 
discussion: 

- Version: the version of the X.509 certificate format being used - v3 with 
PKIX; 

- Signature: same as the Algorithmidentif ier above; 

- Issuer: identifies the issuer of the certificate; 

- Validity: gives the time period for which the certificate is valid; 

- Subject: identifies the subject of the certificate; 

- SubjectPublicKeyInf ormation: gives the subject’s public key value and 
identifies the public key algorithm with which it is meant to be used; and 

- Extensions: contains a sequence of extension fields. 

Before making a further discussion about the field Extensions, we give a 
definition related to certification path validation as follows: 

A certification path is a non-empty sequence of certificates {C\, . . . ,Cn) , 
where C\ is a trusted certificate, is the target certificate, and for all i 
(I < i < n—1) the subject of Ci is the issuer ofCi+\. The trusted certificate 
is viewed as a certificate that is trusted by the verifier and it should of course 
be a valid certificate, and the target certificate is the one that the verifier 
wants to verify. The certificate validation procedure takes a given certification 
path and determines whether the target certificate is valid or invalid. 

The problem of how a certification path is obtained can be solved easily, see [8]; 
it will not be considered in this article. We will focus on the path validation 
algorithm. 

Extensions are used to automate the path validation process. Each extension 
field can be marked as critical or non-critical. Any extension can be ignored, but 
in the case of critical extensions, the issuing CA will take no responsibility for 
use of the certificate. Note that an Object IDentifier (OID) is a unique sequence 
of positive integers used to distinguish objects. Each extension is associated 
with an OID defined in X.509. The PKIX extensions that are important to our 
discussion are: 

- Certif icatePoIicies: contains a sequence, possible empty, of policy OIDs. 
The purpose, as stated in PKIX, is that in a certificate these policy infor- 
mation terms are used to indicate the policy under which the certificate was 
issued and for which the certificate may be used; 
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- PolicyMapping: is used in CA certificates to link separate certificate domains 
by providing a mapping of policies of one domain to policies of another 
domain. 

- PolicyConstraints: consists of two further fields: 

(1) InhibitPolicyMapping: a positive integer which indicates how many 
additional certificates may occur in a path before policy mappings are 
no longer allowed; 

(2) RequireExplicitPolicy: a positive integer which indicates how many 
additional certificates may occur in a path before an acceptable policy 
OID will be required in each certificate. 

An application is expected to have its own list of acceptable policy OIDs by which 
it can compare with the list of policy OIDs in a certificate. Some applications 
may not require any particular policy at all. 



3 A Framework for Path Validation 

The framework for certification path validation is based on the certificate format. 
As discussed in the previous section, a X.509 certificate consists of three fields 
and some fields further contain several sub- fields. Without loss of generality, we 
may simplify our discussion by assuming that the PKI certificates have a stan- 
dard public-key certificate format proposed in [7], which contains the following 
basic information: the name of the certificate issuer, the start and expiry dates, 
the subject (i.e., the name of the holder of the private key for which the corre- 
sponding public key is being certified), the value of the public key, the extension 
field, and the signature of the issuer. Formally, a certificate has the following 
form: 

Cert (I, D„ De, S, PK, E, SIG(l, D„ D^, S, PK, E)) 

or, simply, written as Cert (l, Dg, Dg, S, PK, E, SIC), where I is the issuer, Dg and Dg 
are the start date and expiry date respectively, S is the subject of the certificate, 
PK is the value of the public key held by S, E is the value of the extension field, 
and SIG is the signature of the issuer I. 

Given a certificate C = Cert (l, Dg, Dg, S, PK, E, SIG(l, Dg, Dg, S, PK, E)), the fol- 
lowing projection functions can be used to obtain the value of each component 
contained in C: 

1(C) = I ^(C) = ^(C) = 

S(C) = S PK(C) = PK E(C) = E 

STG(C) = SIG(I, Dg, Dg, S, PK,E) tbs(C) = (l, Dg, Dg, S, PK, E). 

In the following, we introduce a path validation framework, that makes im- 
portant and natural distinctions between the types of checking done for vali- 
dating certification paths. Certificate verification is intended to prove that the 
certificate is valid and no-one has tampered with the contents of a certificate. 
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This includes verifying the identity of the issuer and owner, verifying the sig- 
nature, and checking the associated revocation listing. To verify the signature, 
the validity of the issuer’s certificate needs to be determined, and so on, until 
a trusted certificate is encountered. Therefore, certificate verification involves 
iteratively verifying certificates in a certification path from a trusted certificate. 
The best method for obtaining the certification path is dependent on the struc- 
ture of the PKI. The PKIX path validation algorithm takes the path as an 
input, so the exact means of certification path discovery is not important for 
this discussion. 

In regards to path validation, all the checks of certificates can be separated 
into the three main categories listed below. In our framework, all of the certifi- 
cation path validation checks can be placed into one of the three categories. 

Single checks: these are checks that are performed on and only involve a single 
certificate (as is the case with the Validity field, for example). 

Pair checks: these checks require the comparison of two possibly different fields 
from two certificates. For example, the Issuer field of the certificate Cj+i and 
the Subject field of the certificate Ci (where 1 < f < n — 1) need to be the same. 



Path checks: for these checks the entire certification path (Ci, . . . , Cn) may be 
required. If the certificate Ci holds the value k in the requireExplictPolicy 
field of the PolicyConstraints extension then it must be checked that the cer- 
tificates Ci+fc onwards have an acceptable policy in their Policy extension fields 
and concurrently checked whether the value k is decreased by any certificates 
further along the path. 

This framework is the basis for a natural separation of the entire certification 
path validation problem into distinct types based on the different checking requi- 
rements. Actually, there are several implementations that follow this, although 
usually not emphasised in the documentation. 



4 Formalisation in Isabelle 

Isabelle [13,15] is a generic theorem prover that can be used for implemen- 
ting a range of logical formalisms. The structure and behavior of a certificate 
verification system can be formalized in an appropriate logical formalism [7], 
so it becomes possible to mechanize a PKI algorithm in Isabelle. We use Is- 
abelle/HOL, an instantiation of Isabelle relying on higher-order-logic (Isabelle 
can be instantiated to various base logics) . The essence of higher-order logic is 
that both functions and predicates (of the appropriate type) can take functions 
or predicates as arguments, and return them as results [5]. 

In the following, we present the essential theories that are used for path 
validation. 
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4.1 Certificate Theory 

In Isabelle, a theory consists of the definition of types, functions including the 
fact that functions can be constants, and rules/ axioms. Figure 1 gives an Isabelle 
theory, named Cert if . thy or, simply. Cert if . This theory defines the data type 
of certificates, and includes several rules which express the projection functions 
in the Isabelle theory. 



Certif = Main + 
datatype 
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issuer_def 
subject_def 
start_def 
expire_def 
public_def 
extensions_def 
sig_def 
tbs_def 



’n * ’k * ’e)" 



"issuer (Cert I ds de S PuK exts SIG) = I" 

"subject (Cert I ds de S PuK exts SIG) = S" 

"start (Cert I ds de S PuK exts SIG) = ds" 

"expire (Cert I ds de S PuK exts SIG) = de" 

"public (Cert I ds de S PuK exts SIG) = PuK" 

"extensions (Cert I ds de S PuK exts SIG) = exts" 
"sig (Cert I ds de S PuK exts SIG) = SIG" 

"tbs c = (issuer c, start c, expire c, subject c, 

public c, extensions c)" 



end 



Fig. 1. The Certificate Theory 



In this theory, “Certif = Main +” declares that Main is the parent theory of 
the theory Certif. Main is a basic theory in Isabelle/HOL, which collects all the 
basic predefined theories of arithmetic, lists, sets etc. Hence Certif is built upon 
the basis theory by defining a new data type (Cert), new syntax for functional 
constants (e.g. issuer), and rules that give the definitions and properties about 
these functions (e.g. issuer_def). 

With the theory Certif defined, we can prove some goals. For example, the 
following goal can trivially be proved by rewriting with the new rules above: 

Goal "tbs (Cert I ds de S PuK exts SIG) = (I,ds,de,S,PuK,exts) " ; 

Once a goal is proved, it can becomes a theorem of the Certif theory, and 
may be used in later proofs. 
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4.2 Modelling Cryptographic Functions 

In order to model the cryptographic functions that are involved in the public 
key certificates, we adopt the following principles: 

- Higher-order, property-based approach. That is, rather than define a primitive 
function for signing, and another for checking signatures, we define the types 
and relationships that such a pair of functions must satisfy. This has the 
advantage of making it easy to extend the theory (and results) for multiple 
algorithms. It is also logically more secure, since if there are axiomatically 
defined functions which are inconsistent, then the theory will be unsound, 
while if we make the corresponding error in the property relating signing 
and checking, then the logic remains sound, although the property becomes 
uninteresting as no functions can satisfy it. 

- Purely looking at the essential properties. In the case of our cryptographic 
functions, we focus on the essential connection between signing and checking, 
and their relationship to the public and private keys. We do not model the 
signing mechanism itself, so our theory does not include any discussion of 
encryption, and hence does not reflect the idea of signature as encryption 
with a private key. 

Based on the above principles, we construct the signature theory named as 
Sign. thy shown in Figure 2. 



Sign = Main + 
consts 

is_sign_pair :: "((’m => ’s) * (’m => ’s => bool)) => bool" 
is_PK_sign_system :: "((’x => ’m => ’s) * (’y => ’m => ’s => bool) * 

((’x*’y) => bool)) => bool" 



rules 

sign_pair_def "is_sign_pair (sign, check) = 

(!M S. check M S = (S = sign M))" 
PK_sign_system_def "is_PK_sign_system (sign, check, keyPair) = 

(! X Y. keyPair (X, Y) — > is_sign_pair (sign X, check Y))" 

end 



Fig. 2. The Signature Theory 



The signature theory includes two rules: 

— The first rule (sign_pair_def ) indicates that checking a message M against 
a signature S should succeed in precisely those occasions when S equals the 
result of signing M. 

— The second rule (PK_sign_pair_system_def ) means that the signing opera- 
tion formed from private X can be checked by the checking operation formed 
by Y, whenever X and Y represent a valid key pair. 
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Our approach is quite general. However, in order to accommodate DSA [12], 
we would need to extend our model to allow non-deterministic parameters. Note 
also that we allow the types of the private and public keys to be different, 
in contrast to much work that has been done in the authentication protocol 
verification area, such as Paulson [14], Burrows et. al. [1], Roscoe [18] and Lowe 
[9] etc. 

4.3 Framework Function 

As already described, the various checks used for path verification can be grouped 
according to what data they are calculated on. We now need to describe in 
Isabelle a framework function that may take all these individual checks, and 
apply them to a certification path to be verified. 

In the case of single and pair predicates, it is clear that these may be itera- 
tively applied to the list of certificates. The results of these tests are joined by 
conjunction (since if any test fails the entire path must fail to validate). So the 
pattern of iteration can be described by: 

Bi+i = BiH (pair(Ci, Ci+i)) fl (single Ci+i) 

where Bi is the accumulating boolean result (true meaning “valid so far”), and 
Ci+i is the current certificate we are processing (the framework function is defi- 
ned so that the previous certificate processed is made available to the function 
pair). 

The remaining functions can depend on any aspects of the list, and hence 
are the most general, and potentially worst behaved (from an ease-of-modelling 
viewpoint). However, in all the cases we have seen in path validation algorithms, 
there is a fairly simple sequence of iterative structures Gi that can be construc- 
ted down the certification path that allows these predicates to be calculated. 
Examples will be briefly considered later, but at the moment we ignore these, 
and extend our accumulating boolean result to cover also these last predicates, 
represented by path_pred in the following: 



Bi+x = Hi n (path_pred(Gi, Ci+i)) n (pair(Gi, G*+i)) 
n(singleCi+i) 

G,+i = /(G„Q+i) 

We introduce the framework function to implement these iterative calculati- 
ons, using the various predicate arguments passed to it. It is called as follows: 

framework path_state path_pred pair single state_init trusted_cert certs 

where the meanings of arguments are as follows: 

- path_state - the function that calculates the new state from the old state 
and the new cert (certificate). Needed for path properties that use the whole 
path. 
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- path_pred - The path property calculating whether the validation of the 
whole path (up to here) has failed yet. 

- pair - pred for checking neighbours in the certificate chain. 

- single: pred for checking single certs (e.g. for time). 

- state_init - the initial values in the state used for whole path pred. Often 
either a “null” of some type, or derived from the initial trusted certificate. 

- trusted_cert - the “top cert” that is trusted by the verifier. 

- certs - an argument to the resulting validation function - the list of certs 
to be verified. Note that the head of certs is the highest in the tree. 



4.4 Modelling PKIX Path Validation 

PKIX path validation is quite complex, so we do not aim to yet model all aspects. 
Separate consideration of the processing regarding various extensions should be a 
valid technique. The reason is that most processing of extensions is independent 
of each other. It is, however, useful to look at interactions when they occur, and 
this would be a good area for further study. 

The aspects we will be focusing on are the PKIX processing rules for dealing 
with “certificate polices” . These are defined as: 

A named set of rules that indicates the applicability of a certificate to a 
particular community and/or class of application with a common security 
requirement [6]. 

Informally we interpret the role of certificate policy processing in PKIX as 
determining for the users the set of policies under which a given certificate may 
be validly used. A given certificate may have been issued under policies P\ and 
P2, but it may be that it is only valid for use under policy P2 (perhaps because 
of restrictions applied by CAs higher in the path, or by the application carrying 
out the validation). 

Closely related to certificate policies is the policy mappings extension, which 
is intended to associate related policies from different domains when cross- 
certifying between them. Although they play an important role in the PKIX 
algorithm, and have a major part in the discovered flaws, we do not yet include 
them in the modelling presented in this paper. 

Consider now the predicates for checking certificate policies in PKIX. Our 
accumulating structures Gi need to track various information: the set of policies 
acceptable to the user(user policy set: ups), the set of policy constraints from 
CAs earlier in the certification path (authority policy set: aps), a counter for 
the number of certificate we are up to in processing (cnt), and the certificate 
number at which certificate policies must be present (policy limit: lim). These 
are grouped together in a tuple: (ups, aps, lim, cnt). In the following, we 
consider the path predicate for path predicate checking the policies of the next 
certificate (c) using the data of this tuple. 

Given the current values for (ups, aps, lim, cnt), we use a particular 
path predicate named as path_pred_cp (cp for certificate policy) to process the 
next certificate, say C. The path predicate is defined in the following form: 
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path_pred_cp_def "path_pred_cp((ups, aps, lim, cnt), C) = . . 

where the detail of the right hand side of the equation is not given yet. 

We now consider how the right hand side in the above definition is to be defi- 
ned. From PKIX we have the following process in the path validation algorithm: 

“(e) (1) ij the certificate policies extension is marked critical, the intersection 
of the policies extension and the acceptable policy set shall be non-null.” 

This can be expressed in the path predicate provided to the framework as follows: 



(((certPoliciesCritical A (extensions C)) 

(aps n (certPoliciesExt(extensions C)) 0))) 

where 0 is the empty set. 

The following check is also done by the PKIX algorithm: 

“(d) (1) if the explicit policy state variable is less than or equal to i, a policy 
identifier in the certificate shall be in the initial policy set.” 

The algorithm has the following representation in Isabelle: 

((lim <= cnt) — > 

(ups n (certPoliciesExt(extensions C)) 0)) 

The two preceding predicates are conjoined together to complete the defi- 
nition of path_pred_cp and are used in the framework. Also defined and used 
are functions that define how the various components lim, cnt and aps are up- 
dated, and these functions can again be directly linked to clauses in the PKIX 
definition. 

Once a theory describing path validation is defined (in our case for a subset 
of PKIX path validation) it becomes possible to define paths of certificates, and 
to reason about certificate validity. In this way we can exhibit particular paths 
that illustrate unexpected behaviour of a given path validation algorithm. It will 
also be possible to prove that a particular algorithm may have certain desirable 
security properties, or satisfies a given security policy, though we have not yet 
carried out such proofs. 



5 Benefits of Our Approach 

Our approach can be used to detect or highlight inconsistencies and errors in 
standards and/or implementations. One of the ways that this is achieved is by 
the type-checking Isabelle carries out on the theory, which can reveal basic kinds 
of inconsistencies. 

Formal specification may also be used to compare various alternatives to 
fixing a particular problem, and potentially to verify that some alternatives are 
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indeed free of error. For example, we are now looking at the suggested changes to 
PKIX, to see whether they are indeed free of some of the undesirable properties. 

One of the major issues is that many standards, such as PKIX and X.509, 
are effectively specifying a solution (or a class of solutions). Although we have 
seen that the relative informality of these specifications may cause problems, 
the issue becomes even more serious when considering the problems that these 
solutions are meant to address. Usually the problems that various features of 
the solution are meant to address are not described, or only very informally. 
Effectively many features have no clear requirement, and the advice to someone 
developing a PKI reduces to “well, this is the effect extension X has on path 
validation, so if that is what you need, use it”. 

An example is certificate policies, where their intended meaning in end-entity 
certificates is perhaps clear (though what happens if a certificate has multiple 
policies, and their policy meanings are inconsistent?), but in CA certificates 
their effect is so complicated that no simple requirement is ever given for them. 
Perhaps another example is policy qualifiers; these allow general information to 
annotate certificate policies, but their uses to date have been very restricted (e.g. 
pointers to where the policy definition may be obtained), and it is completely 
unclear what applications should do with them, and what would be acceptable 
ways for CAs to populate them (thankfully the path validation decision is not 
to be dependent upon policy qualifiers; the new PKIX algorithm does specify 
how to process qualifiers for “any-policy” , and hence be generating a “solution” 
based on semantics for qualifiers, which may ultimately be inappropriate). 

Even when standards are correct, we can often provide an accurate and 
more abstract re-expression of the standard. This can be particularly useful 
for implementations that seek to use algorithms or data structures which differ 
from those used in the standards (although, of course, aiming to be behaviourly 
equivalent) . 

There exists the potential to prove certain properties about a PKI on the 
basis of the standard it implements. This could serve as a valuable input to the 
development of any future “higher-grade” PKI developments. 

6 Conclusions and Future Work 

We have seen how an absence of formal specification in a more intricate part of 
a technical standard has caused problems with implementations, and resulted in 
a general interpretation apparently diverging from that intended by its authors 
(hence leading to the need for revisions of these parts). By adding formality 
in the specification process, we suggest that some of these problems may be 
avoided. 

In the specific case of path validation, we have explained how a simple model 
(our framework) can be used to bring order to the many checks required in path 
validation, and provide a basis for formalisation. We have, furthermore, explained 
some aspects of just such a formalisation, linking it back to statements within 
the standard. Thus the feasibility of such an approach to specification in this 
domain area is demonstrated. 
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In future work we would like to extend further into the areas of PKIX path 
validation not yet modelled, and also look at modelling and comparing some 
alternatives for resolving the current problems with this validation algorithm. 
It may be possible to extend the signature theory in Section 4.2 by adding the 
concept of non-deterministic parameters, so that it could accommodate DSA. We 
could also extend the work further to cover more of the total certificate lifecycle 
(e.g. registration authority functions, rekeying, and revocation). Closely related 
to these aspects are the underlying trust models; clearly this would relate to 
work by Maurer [10], Reiter and Stubblebine [16,17], and others. 
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Abstract. An iterative probabilistic method for reconstructing the in- 
itial state of RC4 keystream generator from a short segment of the key- 
stream sequence is developed. The cryptanalytic algorithm consists of a 
forward and backward recursive computation of the posterior probabili- 
ties of the internal state components given a keystream segment. While 
maintaining the computational complexity, the new method presents a 
theoretical and practical improvement of a recently proposed method of 
a similar type, as less entries of the initial table are required to be known 
for the attack to be successful. If these entries have to be guessed, then 
the attack is expected to remain infeasible for the recommended word 
size of RC4. 

Key words. Keystream generator, cryptanalysis, recursive probabilities, 
iterative algorithms, permutations. 



1 Introduction 

Keystream generators for practical stream cipher applications can generally be 
represented as autonomous finite-state machines whose initial state and possibly 
the next-state and output functions are secret-key-dependent. A common type 
of keystream generators consists of a number of possibly irregularly clocked 
linear feedback shift registers that are combined by a function with or without 
memory. Such generators are relatively well explored in the open literature. They 
can possess desired cryptographic properties, but under certain conditions, they 
may be vulnerable to various divide-and-conquer attacks in the known plaintext 
(or ciphertext-only) scenario (for a survey, see [7] and [4]). 

A different design approach is taken in a software-oriented keystream gene- 
rator [8] publicized in [9] and known as RC4. It is widely used in a number 
of commercial products and standards including Secure Sockets Layer standard 
SSL 3.0. Given a parameter n (nominally, n = 8), the internal state of RG4 
consists of a balanced table (permutation) of 2” different n-bit words and two 
pointer n-bit words which, at each time, define the positions of two words in the 
table to be swapped to produce the table at the next time. One of the poin- 
ters is updated by using the table content at the position defined by the other, 
which is itself updated in a known way by a counter. Initially, the two pointer 
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words are set to zero and the table content is defined by the secret key. The 
table thus varies slowly in time under the control of itself. At each time, the 
output of RC4 is an n-bit word which is taken from an appropriate position in 
the table. The output word is then bitwise added to the plaintext word to give 
the ciphertext word. The effective internal memory size in bits is large and is 
given as M = log 2"! + 2n « 2”(n — log e) + 5n/2 + log where the logarithm 
is to the base 2. 

Standard cryptographic properties are hard to prove for RC4. According to 
the linear model approach [2], a linear statistical weakness of the RC4 keystream 
is both theoretically and experimentally established in [3] and [5]. The keystream 
sequence length needed to detect the weakness is considerably shorter than the 
period and may even be realistic in high speed applications for n < 8. However, 
as this length is fairly large, the result is more of a theoretical than practical 
interest. 

Two cryptanalytic algorithms for reconstructing the initial state of RC4 from 
a short segment of the keystream are proposed in [6]. One consists of the se- 
quential search through the values of the internal state components (one of the 
pointers and appropriate entries of the table at successive times) that are con- 
sistent with the given keystream segment. Its time complexity is close to the 
time of searching through the square root of all possible initial states. The other 
consists of a recursive computation of the posterior probabilities of the internal 
state components given the corresponding keystream symbols. It can recover the 
content of the initial table provided a sufficient number of its entries are known 
(about 60% for n = 8). Its time complexity is about 2®” steps each consisting of 
computing the product of appropriate probabilities. 

The main objective of this paper is to develop an iterative probabilistic me- 
thod for reconstructing the initial state of RC4 from a short segment of the key- 
stream sequence. A careful probabilistic analysis reveals two main deficiencies 
of the probabilistic approach from [6]. First, the expressions [6] for the posterior 
probabilities are just approximations as the two so-called ‘change of state’ and 
‘observation of output symbol’ effects should be considered simultaneously rat- 
her than separately. Second, apart from the forward recursion of the posterior 
probabilities, the backward recursion of these probabilities is also required. As 
a result, less entries of the initial table have to be known for the attack to reco- 
ver the whole initial table. This is illustrated by experimental results obtained 
by computer simulations. The time complexity is about 2®" steps consisting of 
computing the product of appropriate probabilities. 

In Section 2, a more detailed description of RC4 keystream generator is pre- 
sented. In Section 3, general expressions for the forward and backward recursions 
of the posterior probabilities are determined, while the underlying conditional 
probabilities are derived in the Appendix. Section 4 contains a description of the 
corresponding iterative cryptanalytic algorithms and Section 5 is devoted to il- 
lustrative experimental results. A summary and conclusions are given in Section 
6 . 
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2 Description of RC4 

We follow the description given in [9]. RC4 is in fact a family of algorithms 
indexed by a parameter n, which is a positive integer typically recommended to 
be equal to 8. The internal state of RC4 at time t consists of a table (permutation) 
St = of 2” different n-bit words and of two pointer n-bit words it 

and jt- The n-bit words are treated as binary representations of integers. So, the 
internal memory size in bits is M = log 2"! -|- 2n. Let the output n-bit word of 
RC4 at time t be denoted by Zt- Let initially io = jo = 0- Then the next-state 
and output functions of RC4 are for every t > 1 defined by 



— it-1 + 1 


(1) 


jt-i + St-i [it] 


(2) 



St[it] = St-i[jt], St[jt] = St-i[it] 



(3) 



Zt = St[St[it] + St[jt]] (4) 

where all the additions are modulo 2". It is assumed that all the words except for 
the swapped ones remain the same (swapping itself is effective only if it yf jt)- 
The output n-bit word sequence is Z = (Zt)^i- The initial table So is derived 
from the secret key string in a way which is not important for our cryptanalysis. 

The known pointer sequence (it)'^o ensures that the next-state function is 
invertible (one-to-one). 



3 Recursive Probabilistic Analysis 

In a probabilistic model where the initial permutation So is chosen randomly 
according to the uniform probability distribution, our objective would ideally be 
to determine the posterior probability Pr{S'o|^i'}) where Z^^ = zt ^^ , Zt^+i, ■ ■ ■ , Ztz 
denotes a segment of length t 2 — ti + 1 of the given keystream sequence. For 
simplicity, we keep the same notation for random variables and their values. 
Thus Pr{x} denotes the probability Pr{X = a;}, where X is a random variable. 
If 2"^ > 2”!, that is, if T > (log2”!)/n, then S'o is expected to be uniquely 
determined by Zf. Computing this probability corresponds to the algorithm [1] 
for estimating the internal states of a hidden Markov chain and is equivalent 
to the exhaustive search over all possible S'o. Note that the time and space 
complexities of the algorithm [1] are both proportional to the cardinality of the 
internal state space of the underlying Markov chain. 

Therefore, instead of the internal state as a whole, we consider its individual 
components, that is, the individual entries of the table St[*], 0 < i < 2" — 
1, and the pointer jt (the pointer it is known). Our ultimate objective is to 
determine the posterior probabilities Pr{So[i]\Zf}, 0 < t < 2” — 1. This can be 
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achieved by considering the posterior probabilities Pr{St[i]\Z'[}, 0 < i < 2” — 1, 
and Pr{jt\Zf}, for 0 < t < T. The algorithm [1] is not applicable because we 
deal with the internal state components individually rather than with the whole 
internal state. 

The essence of our probabilistic method is to derive the forward recursions for 
the posterior probabilities Pr{St[i]\Z[}, 0 < t < 2” — 1, and Pv{jt\Z\}, for 1 < 
t <T, and the backward recursions for the posterior probabilities Pv{St[i]\Zjj^i\, 
0 < t < 2” — 1, and for 0 < t < T — 1. Both directions are needed 

since the underlying independence assumption gives rise only to approximate 
expressions. It is important to deal with Zj_^_-y rather than Z]^ , as the backward 
recursions for Px{St\i]\Zj} and Pr{jt|Z^^} are much more difficult to derive and 
compute. Unlike the algorithm [1] where the forward and backward recursions 
are essentially the same, the forward and backward recursions derived here are 
different, because the Markov chain property does not hold for the individual 
internal state components. 



3.1 Forward Recursions 

For the forward direction, note that the next-state and output functions can be 
put into the form 



jt 



— jt-1 + St-i[it\^ it — *t-i + 1 


(5) 


( St-i[jt], i = it 




^t[i] = >1 -S'i-iiii], i=jt 


(6) 


i^it,jt 




Zt = -b 


(7) 



In view of (5)-(7), it is convenient to perform the following Bayesian decom- 
position 



Pr{SMzl} = 



Pr{Z^ 

Pr{Z*} 



it, St 






Pv{St%Zt\jt-i = jt - St-i[itlSt-i[itiSt-i[jtlSt-i[i],Z{-^} ■ 

Pr{ji_i = (8) 



where the summation is over all permissible pointer and entry values involved. 
The jt pointer can take any possible value, whereas different entries of the ta- 
ble must take different values, because St-\ is a permutation. Note that, for 
convenience, the summation is over jt although the conditioning is on jt-i- 
Equation (8) gives rise to a recursion by using an approximation that the 
jt-i pointer and different entries of St-i are independent of each other when 
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conditioned on except that different entries must take different values. 

Accordingly, (8) can be approximated as 



MStmzi} 



Pr{Z‘} 



E 



PT{St[i],Zt\jt_, = jt - St_^[H],St_^[it],St_^[jt],St_i[i], zl~^} ■ 
Pr{jt_i = jt - St-ilH]\Zl-^} • PT{St-i[it]\Zl-^} ■ 

Pr{St-i[jt]\Zl-^} Pr{St-i[i]\Zl-^} 

Pv{St-i[jt] ^ St-iMZl~^} Pr{^t-iW St-i[it],St-i[jt]\Zl~^} 



(where formally 0/0 = 0). It is assumed that the probability of each entry of 
St-i, when the values of it, jt, and i are not different, is included only once. 

Note that the used approximation of the joint probability of different entries 
of St-i, under the independence assumption as in [6], depends on the chosen 
order of these entries (here it, jt, i)- Interestingly, another approximation, which 
is simpler to compute, proves to be somewhat more successful in the experiments 
reported in Section 5. Namely, under the simplified independence assumption, the 
joint probability of different entries can be approximated just as the product of 
their individual probabilities. Thus, the last line of (9) is then replaced by 

Pr{St-^[jt]\Zl-^}-Pr{St-i[i]\Zl-^}- 

The multiplicative term Pr{Z(~^}/ Pr{Z(} is determined from the norma- 
lization requirement 



Y,MSt\i]\zl} = 1- (10) 

St[i] 



Similarly, we can obtain a forward recursion for the jt pointer as 



Mjt\zl} = 



Pr{Z(-i} 



E 



Pr{Z‘} 

=jt - St-i[it], St-i[it], St-i[jt], 






Pv{jt -1 = jt - St-iMZl~^} ■ Pr{St-i[it]\Zl~^} ■ 
Pr{St-i[jt]\Zl-^} 
Pr{St-i[jt]^St-iMZl-^y 



where the multiplicative term Pr{Z( ^}/Pr{Zj} can be determined from the 
normalization requirement 

J2Pr{jt\Zl} = 1. (12) 

it 

Note that the conditioning in (11) is on jt-i - Under the simplified independence 
assumption, the last line of (11) is replaced by 

Pr{St-,[jt]\Zl-y. 
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The conditional probabilities in the second lines of (9) and (11), that is, 
and 

St[St-i[it] + = Zt\ 

- St-i[it],St-i[tt],St-i[jt],Zl-^} (14) 
are determined in Appendix A by using (5)-(7). 



3.2 Backward Recursions 



As the next-state function of RC4 is one-to-one, the next-state and output fun- 
ctions for the backward direction in time can be written as 


jt = 


jt+l - 54+1 [j4 - 1 - 1 ], 


it — it+i — 1 


(15) 


St\i] 


f 54+1 [j4+l], 
= S 54+1 [z4+l], 

[ 5t+i[z], 


i = * 4 - 1-1 
i = jt+i 
i 7^ b-i-i , jt+i 


(16) 


Zt+i 


— S'4+i[5'4+i[z4+i] + S'4+l[j4+l]]. 


(17) 



In view of (15)-(17), under similar assumptions, we obtain the following ana- 
logs of (8)-(ll), respectively: 

Pr{SMZl^i] = E 

it+i,S't+i[it+i],S't+i b't+i].St+i[i] 

Zt+i\jt+i, St+i[it+i], St+i[jt+i], *S't+i[*], -Z^t+2} ■ 

Pr{ji-i-i) >54-1-1 [*i-i-i], 5't+i[jt+i], St+i[i]\Zl,,} (18) 



Pr{St\i]\Zf^^} = 



Pr{^4^+2} 



-4rji-4-HiJ - I 

jt+i,St+i [it+i],St+ib't+i],St+i[i] 

Pr{S't[z], Z4-1-1IJ4+1, S'4+i[tt+i], S'4+i[j4+i], 54-1-1 [z], ^4-1-2} ■ 

13 t ■ l>zT 1 13 rc r- ^\7T \ P'^{54+l[j4-|-l]|-^)+2} 

Pr{j4+l|^4+2} -Pr{54+l[z4+l]|Z,+2} • p,^St+,[jt+l] ^ 54 +l[z 4 +l]|Zt+ 2 l^} 

Pr{54+i[z]|Z,%} 

Pr{S'4+i[z] yf 5t+i[z4+i],54+i[j4+i]|^t%} 
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PriZ^ I ' ^ 

‘S't+i[*t+i]5‘S't+i[it+i] 

Pr{ji) ^t+i|jt+i = it + *S't+i[it+i], S't+i[^i], *s't+i[it+i], -^(^2} • 

Pr{jt+i = it + 5't+i[jt+i]|Zj^2}P''{‘5't+i[tt+i]|^t^2} ■ 
Pr{S't+i[it] St+i[it+i]\Zj'^ 2 }' 



Note that the conditioning in (20) is on jt+i- 

Under the simplified independence assumption, the last two lines of (19) and 
the last line of (20) are modified analogously. Note that the Bayesian decomposi- 
tions in (18)-(20) are carefully chosen so as to make the computations as simple 
as possible. The analogy with (8)-(ll) is considerable, but not complete. 

The conditional probabilities in the second lines of (19) and (20), that is. 



Pr{S'i[t], S't+i[<S't+i[it+i] -I- S't+i[jt+i]] — Zt+i\ 

jt+i, St+i[it+i], St+i[jt+i], St+,[i\,zJ+2\ (21) 



and 



Pr{ji, 'S't+i[5't+i[ft+i] -I- — Zt+i\ 

jt+i = jt + St+i[jt+i], St+i[it+i], St+i[jt+i], Zj'j^2\ (22) 

are determined in Appendix B by using (15)-(17). 

The multiplicative term Vx{Z]j^ 2 } / is determined from similar nor- 

malization requirements. 



4 Iterative Algorithms 

The forward recursion (9) together with the conditional probability (13) de- 
termined in Appendix A can be used to compute the posterior probabilities 
Pr{ S't [f] I -^i}, 0 < 5'4*] < 2” — 1, 0 < z < 2” — 1, from the previously computed 
posterior probabilities Pr{S't_i[fc]|Z(“^}, 0 < S't_i[fc] < 2” — 1, 0 < fc < 2” — 1, 
and Pr{jt_i|Z(“^}, 0 < jt-\ < 2” — 1. Note that the summation is effectively 
only over the variables jt, St-i[it], and St-i[jt], as 5't_i[z] is in all the cases 
uniquely determined by the remaining variables and the given values of z, 5't[z], 
it, and Zt- Similarly, the forward recursion (11) together with the conditional 
probability (14) determined in Appendix A can be used to compute the posterior 
probabilities Pi{jt\Zl}, 0 < j* < 2” — 1, from the previously computed posterior 
probabilities Pr{St-i[k]\Zl~^}, 0 < S'i_i[fc] < 2” — 1, 0 < /c < 2” — 1, and 
Pr{jt_i|Z(-i}, 0<jt_i<2"-l. 

For each t, 1 < t < T, the time complexities of updating the posterior 
probabilities for and jt are thus about 2®” and 2^” steps, respectively, each 
step consisting of computing the product of the involved probabilities. 
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(1) We thus define the procedure FORWARD that, given the parameters 2", T, 
and computes the output (terminal) probability distributions Pr{S'T[*]| 
Zf }, 0 < S'tW < 2" - 1, 0 < t < 2” - 1, and Vr{jT\Z'^}, 0 < jt < 2” - 1, 
from the given input (initial) probability distributions Pr{S'o[t]}, 0 < S'o[t] < 
2” — 1, 0 < t < 2” — 1, and (fixed) Pr{jo} = ^o,io> 0 < jo < 2" — 1 (where 
5ij = 1 if i = j and 6ij = 0 if z yf j). 

Analogously, the backward recursions (19) and (20) together with the corre- 
sponding conditional probabilities (21) and (22) determined in Appendix B can 
be used to compute the posterior probabilities Pr{S'i [z]|Z)^J, 0 < St[i] < 2”-l, 
0 < z < 2" — 1, and Pr{ji|Z^]^}, 0 < jt < 2" — 1, respectively, from the pre- 
viously computed posterior probabilities Pr{S't+i [fc] |Z^ 2 }j 0 < S't+i[fc] < 2” — 1, 
0 < /c < 2” — 1, and Pr{jt+i|Z)^ 2 }) 0 < jt+i < 2” — 1. Also, for each t, 
T — 1 > t > 0, the time complexities of updating the posterior probabilities for 
S't[z] and jt are thus 2®” and 2^" corresponding steps, respectively. 

(2) We analogously define the procedure BACKWARD that, given the parame- 
ters 2”, T, and Zf , computes the output (initial) probability distributions 
Pr{S'o[z]|Zf }, 0 < S'o[z] < 2” — 1, 0 < z < 2” — 1, from the given input (termi- 
nal) probability distributions Pr{S'T[z]}, 0 < S't[z] < 2” — 1, 0 < z < 2” — 1, 
and Pr{jr}, 0 < jt < 2" — 1. For control, one can also produce the proba- 
bility distribution Pr{jo|Zf }, 0 < jo < 2” — 1. 

(3) The basic iterative algorithm lA is composed of M rounds, each round consi- 
sting of the procedure FORWARD followed by the procedure BACKWARD, 
where the output probability distributions of FORWARD are used as the 
input probability distributions of BACKWARD, and where the input pro- 
bability distributions of FORWARD in each round are defined as the output 
probability distributions of BACKWARD in the previous round. Initially, 
in the first round, the uniform probability distributions Pr{S'o[z]} = 2“", 
0 < •S'oH < 2” — 1, 0 < z < 2” — 1, are used. The output probability distri- 
butions of BACKWARD in the last round represent the soft estimate of the 
initial table Sq that produced the given keystream segment Z^. 

The experiments obtained by computer simulations show that the iterative 
algorithm in its basic form cannot recover the initial table Sq. However, a mo- 
dified version in which a given number of entries of Sq, that is, 5'o[z], 1 < z < r, 
are known can be successful provided that r is sufficiently large. In this case, 
the input probability distributions of FORWARD are adjusted accordingly in 
each round. If these entries are not known, then, at least in theory, they can be 
guessed either by exhaustive search or by one of the methods from [6] . This, of 
course, is not feasible if t is large. Note that each guess is easily checked for cor- 
rectness by comparing the given keystream sequence with the output sequence 
produced from the reconstructed initial table. 

The minimal keystream sequence length T required for a successful attack can 
be estimated as the minimal m such that 2"™ > 2"! (Tmin = 5, 11, 24, 50, 103, 211 
for n = 3,4,5,6, 7, 8, respectively). Clearly, Tmin < 2”. If r entries are initially 
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known, then this estimate can be reduced accordingly. The total time complexity 
of I A is thus about 2®” corresponding steps. 

Instead of the independence assumption, we can also work with the simpli- 
fied independence assumption. Accordingly, by using the corresponding forward 
and backward recursions and conditional probabilities, we analogously define the 
simplified procedures FORWARD' and BACKWARD' and the simplified itera- 
tive algorithm lA'. Although the total number of computational steps remains 
the same, the complexity of most steps is thus reduced. 

5 Preliminary Experimental Results 

The objective of experiments conducted by computer simulations was to verify if 
the iterative algorithms lA and lA' can recover the initial permutation Sq and to 
investigate the features of these algorithms. In each experiment, the keystream 
segment Zf is first generated from a pseudorandomly chosen Sq . Then for both 
lA and lA', the minimal r as well as the minimal number of rounds, M, for such 
T that are required for successful recovery are found. The choice of the keystream 
sequence length T was also examined. 

Numerous experiments were performed for n = 3 and n = 4, whereas the 
results for larger n require more computational power than the one available. 
Consequently, the following observations regarding the general features of the 
algorithms lA and lA' can be made. 

(1) Neither lA nor lA', in their basic form, are successful for r = 0. This is 
probably because the (simplified) independence assumption is only an ap- 
proximation. More precisely, if the considered time t increases, then different 
entries of the table St become more dependent on each other when condi- 
tioned on Z\. It is interesting to investigate if the algorithms lA and lA' or 
the procedures FORWARD/BACKWARD and FORWARD'/BACKWARD' 
can be (considerably) improved. 

(2) For most permutations S'o, Tmin = 1 or 2 for n = 3 and Tmin = 4 or 5 for 
n = 4. Accordingly, for n = 8, we may expect that Tmin is much smaller 
than 155 (see [6]). This remains to be verified by experiments. Theoretical 
analysis of Tmin as a function of S'o, given n, seems to be difficult. 

(3) In many cases (especially if Tmin = 1, n = 3, and Tmin = 4, n = 4), it was fo- 
und that Mmin > 1 (e.g., Mmin = 2, 3, 4, 5). In many successful experiments, 
it was observed that the jt pointer sequence was not uniquely determined in 
the first pass of FORWARD (unlike [6]). 

(4) In most experiments, lA and lA' were equally successful (the same Tmin) 
and in a number of cases, lA' converged faster than lA (smaller Mmin)- This 
is somewhat surprising, because lA' is simpler than lA. 

(5) For convenience, in most experiments it was assumed that T = 2”. However, 
it was observed that in some cases decreasing T resulted in decreasing Mmin 
or even Tmin- This means that increasing T can sometimes result in failure, 
and I A' is more sensitive than I A in this respect. 
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(6) In the case of success, the probabilities in both lA and lA' converge to 
either 0 or 1 thus yielding the correct hard estimates of Sq- In the case of 
failure, the probability distributions either remain relatively flat or someti- 
mes yield wrong hard or mixed hard/soft estimates of Sq- Adaptation of the 
algorithms so as to make use of partially correct hard estimates of Sq can be 
explored in future. Other ways of combining the procedures FORWARD and 
BACKWARD (FORWARD' and BACKWARD') may also be investigated. 

6 Conclusions 

An iterative probabilistic method for reconstructing the initial state of RC4 
from a short segment of the keystream sequence is developed. The probabilistic 
approach from [6] is used as a starting point, but the conducted probabilistic 
analysis is more sophisticated. The method consists of a recursive computation 
of the posterior probabilities of the internal state components given a keystream 
segment. The forward and backward recursions of the posterior probabilities are 
determined under the so-called independence and simplified independence as- 
sumptions. The underlying conditional probabilities are presented in sufficient 
detail for implementation. The corresponding iterative algorithms are implemen- 
ted in software. The experimental results obtained by computer simulations are 
used to establish a number of features of the proposed algorithms. As a number 
of entries of the initial table have to be guessed correctly for the algorithms to 
be successful, the new attack, although more effective than the one from [6], is 
expected to remain unpractical for the recommended word size of RC4. 

Unlike [6] , besides the forward recursions, our method also involves the back- 
ward recursions, and the derived expressions are more precise than the ones from 
[6], because the so-called ‘change of state’ and ‘observation of output symbol’ 
effects are considered simultaneously rather than separately. In addition, it is 
established that the introduced simplified independence assumption gives rise to 
a faster, yet equally successful algorithm. The proposed cryptanalytic algorithms 
have roughly the same time complexity as the corresponding algorithm [6], but 
are more effective in that they require less entries of the initial table to be known 
for the attack to recover the whole initial table. Whether the algorithms can be 
improved by taking into account the pairwise dependences between different 
entries of the table is an interesting problem for future investigations. 

Appendix 

A Conditional Probabilities: Forward Direction 

Let a = St-i[it] + St-i[jt\- In order to compute (13), we distinguish between the 
following 15 cases, depending on the values of i, it, jt, and a being equal to or 
different from each other. We utilize (5)-(7), the independence assumption, and 
the permutation constraint that at any time different entries of the table must 
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take different values. Let P denote the conditional probability in question. All 
the cases are specified in sufficient detail for implementation. 

Case 1 i jt yf ^ 

Then P = Pr{^t_i[a] = Zt\Zl~^}/PY{St-i[a] ^ 5t_i[z]| 

Z{~^} provided that S't[z] Zt, 5't_i[z] = S't[z], S't_i[zt] yf Zt,St[i], and 
St-i[jt] ^ Zt, St[i], St-i[it],i - St-i[it],it - St-i[it], jt - St-i[it]- Otherwise, 
P = 0. 

Case 2 i it, jt ^ it, i, cr = i. 

Then P = 1 provided that S'^*] = Zt, St-i[i] = Zt, St-i[jt] = i - St-i[it], 
St-i[it] ^ Zt,i — Zt, and 2St-\[it] ^ i- Otherwise, P = 0. 

Case 3 z %t, Jt '^t, z, fJ — z^. 

Then P = 1 provided that S't[z] ^ Zt, it ^ 2Zt,Zt + ^([z], S't_i[z] = S't[z], 
St-i[jt] = Zt, and St-i[it] = it ~ Zt. Otherwise, P = 0. 

Case 4 i ^ it, jt ^ it, i, <J = jt- 

Then P = 1 provided that AJz] ^ Zt, S't_i[z] = jt ^ ‘^Zt,Zt + ^^[z], 
St-i[it] = Zt, and St-i[jt] = jt ~ Zf Otherwise, P = 0. 

Case 5 i ^ it, jt = i, a ^ it,jt- 

Then P = Pr{5t_i[a] = Zt\Zl~^}/Pr{St-i[a] ^ St-i[it], St-i[jt]\Zl-^} 
provided that Zt, S't_i[z] = S't-i[jt], St-i[it] = 5't[z], and St-i[jt] ^ 

Zt , S'* [z] , z — St [z] , it — St [z] . Otherwise, P = 0. 

Case 6 z ^ Zt, jt = i, a = it- 

Then P = 1 provided that A^z] ^ Zt, it = Zt + S'Jz], 5't_i[z] = St-i[jt], 
S't_i[zt] = S't[z], and St-i[jt] = Zt. Otherwise, P = 0. 

Case 7 i ^ it, jt = i, a = jt. 

Then P = 1 provided that A^z] = Zt, i ^ 2Zt, S't_i[z] = St-i[jt], St-i[it] = 
Zt, and St-i[jt] = i — Zt. Otherwise, P = 0. 

Case 8 i ^ it, jt = it, cr i, it. 

Then P = Pr{St-i[a] = Zt\Zl~^} / Pr{St-i[a] ^ St-i[it], St-MZ^^} pro- 
vided that 5*4 [z] ^ Zt, St-i[i] = S' 4 [z], St-i[it] ^ Zt,St[i], 2St-i[it] ^ i,it, 
and St-i[jt] = 5't_i[z4]. Otherwise, P = 0. 

Case 9 i ^ it, jt = it, cr = i. 

Then P = 1 provided that S' 4 [z] = Zt, 5't_i[z] = Zt, 2St-\[it] = i, St-i[it] ^ 
Zt, and St-i[jt] = 5't_i[zt]. Otherwise, P = 0. 

Case 10 z it, jt = it, cr = it. 

Then P = 1 provided that ^([z] ^ Zt, it = 2.Zt, S' 4 _i[z] = ^([z], and St-i[jt] = 
S't_i[z(] = Zt. Otherwise, P = 0. 

Case 11 z = it, jt ^ it, cr ^ it,jt- 

Then P = Pr{54_iH = Zt\Z\-^} / Pr{St-i[a] ^ St-i[it], St-i[jt]\Z\-^} 
provided that 5t[z] ^ Zt, St-i[i] = 5't_i[z4], St-i[jt] = 5't[z], and St-i[it] ^ 
Zt,St[i],it - *S't[z],jt - S' 4 [z]. Otherwise, P = 0. 

Case 12 z = it, jt ^ it, cr = it. 

Then P = 1 provided that S't[z] = Zt, it ^ 2Zt, S'4_i[z] = 5'4_i[z4] = it - Zt, 
and St-i[jt] = Zt. Otherwise, P = 0. 

Case 13 z = it, jt ^ it, cr = jt. 

Then P = 1 provided that S't[z] ^ Zt, it ^ Zt+St[i] = jt, 5t_i[z] = St-i[it] = 
Zt, and St-i[jt] = <S't[z]. Otherwise, P = 0. 
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Case 14 i = if = jf, a ^ if. 

Then P = Pr{^i_i[(T] = Zt\Z[-^} / VY{St-i[a] ^ St-i[i]\Zl-^} provided 
that ^ Zt, it ^ 2St[i], and St-i[it] = St-i[jt] = 

Otherwise, P = 0. 

Case 15 i = if = jt, a = it- 

Then P = 1 provided that = Zt, it = 2Zt, and = St-i[it] = 

St-i[jt] = Zf Otherwise, P = 0. 

Similarly, in order to compute (14), we distinguish between the following 5 
cases, depending on the values of it, jt, and a being equal to or different from 
each other. 

Case 16 jt ^ it, cr ^ it,jt- 

Then P = Pr{5t_i[a] = Z*|Z(-i}/Pr{^*_i[a] ^ St-i[tt], St-i[jt]\Z{-^} 
provided that St-i[it] and St-i[jt] Zt,St-i[it], it ~ St-i[it],jt ~ 
St-i[it]- Otherwise, P = 0. 

Case 17 jt ^ it, a = it- 

Then P = 1 provided that it yf 2Zt, St-i[jt] = Zt, and St-i[it] = it — Zt- 
Otherwise, P = 0. 

Case 18 jt yf it, a = jf 

Then P = 1 provided that jt yf 2Zt, St-i[it] = Zt, and St-i[jt] = jt ~ Zt. 
Otherwise, P = 0. 

Case 19 jt = it, o ^ it. 

Then P = Pr{5t_i[a] = Zt\Z[-^} / Vr{St-i[a] ^ St-i[it]\Z{-^} provided 
that St-i[jt] = S't-i[tt], St-i[it] y^ Zt, and 2St-i[it] y^ it- Otherwise, P = 0. 
Case 20 jt = it, <J = it. 

Then P = 1 provided that it = 2Zf and St-i[jt] = = Zt. Otherwise, 

P = 0. 

Under the simplified independence assumption, the conditional probability 
in Cases 1, 5, 8, 11, 14, 16, and 19 is given as P = Pr{S't_i[CT] = Zt\Z\~^}. 

B Conditional Probabilities: Backward Direction 

Let a = S'i+i [b+i] +S't+i [jt+i]. In order to compute (21), we distinguish between 
the 15 cases, depending on the values of i, it+i, jt+i, and a being equal to or 
different from each other. We utilize (15)-(17), the independence assumption or 
the simplified independence assumption, and the permutation constraint that 
at any time different entries of the table must take different values. The cases 
can be obtained from the ones for the forward direction by using the substitu- 
tion it — >■ it+i, jt jt+i, Zt — >■ Zt+i, St-i — >■ St+i, and Z^ ^ ^ except 

that due to the fact that Zt+i is derived from S't+i rather than St, the roles 
of S't+i[zt+i] and are interchanged when a = it+i or a = jt+i. Con- 

sequently, Cases 3', 4', 6', 7', 12', and 13' are given below, whereas the other 
cases are directly obtained by the substitution described above. Let P denote 
the conditional probability in question. 
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CasG 3 jt+i ^ ^ — H+i- 

Then P = 1 provided that S't[i] ^ Zt+i, it+i ^ 2Zt+i, Zt+i + St[i], S't+i[z] = 
S't[z], 5t+i[it+i] = Zt+i, and S'(+i[jt+i] = it+i - Zt+i. Otherwise, P = 0. 
Case 4’ i ^ it+i, jt+i ^ zt+i,z, cr = jt+i- 

Then P = 1 provided that 5t[z] ^ Zt+i, S't+i[z] = S't[z], jt+i ^ 2Zt+i,Zt+i + 
S't[z], St+i[jt+i] = Zt+i, and S't+i[zt+i] = jt+i - Zt+i. Otherwise, P = 0. 
Case 6 z ^ z^-i-i, jt+i — z, cr — zt_|_i. 

Then P = 1 provided that 5't[z] = -^t+i, Zt+i ^ 2Zt+i, S't+i[z] = St+i[jt+i], 
S't+i[zt+i] = Zt+i, and St+i[jt+i] = it+i ~ Zt+i. Otherwise, P = 0. 

Case 7’ z ^ it+i, jt+i = i, a = jt+i- 

Then P = 1 provided that 5't[z] ^ Zt+i, i = Zt+i+St[i], S'i+i[z] = St+i[jt+i], 
S't+i[zt+i] = S't[z], and St+i[jt+i] = Zt+i. Otherwise, P = 0. 

Case 12’ i = it+i, jt+i ^ *z+i) o’ = it+i- 

Then P = 1 provided that S't[z] ^ Zt+i, it+i = Zt+i + S't[z], 5't+i[z] = 
S't+i[zt+i] = Zt+i, and St+i[jt+i] = ^([z]. Otherwise, P = 0. 

Case 13 i — z^+i, ^ ^z+i, o' — 

Then P = 1 provided that St[i] = Zt+i, jt+i ^ 2Zt+i, 5t+i[z] = 5't+i[zt+i] = 
jt+i - Zt+i, and St+i[jt+i] = ^t+i- Otherwise, P = 0. 

Similarly, in order to compute (22), we distinguish between the following 5 
cases, depending on the values of Zt+i, Jt+i, and a being equal to or different 
from each other. The cases are different from the ones for the forward direction 
because, unlike jt, jt+i = jt + <5't+i[jt+i] is variable rather than given. Under 
the simplified independence assumption, the conditional probability in Cases 16’ 
and 19’ is given as P = PrjS'i+i [cr] 

Case 16 ^z+i? o' yf 

Then P = Pr{S't+i[cr] = Z(+i |Zj%}/Pr{S't+i [ ct] yf S't+i[zt+i], S't+i[jt+i]| 
^ 1 + 2 } provided that S't+i[zt+i] yf and S't+i[j(+i] yf Zt+i, St+i[it+i], 

zt+i - St+i[it+i\,it+i - jt- Otherwise, P = 0. 

Case 17’ jt+i ij+i, a = it+i. 

Then P = 1 provided that Zt+i yf 2Zt+i, jt yf Zt+i, S't+i[zt+i] = Zt+i, and 
S't+i[j(+i] = zt+i - Zt+i. Otherwise, P = 0. 

Case 18’ jt+i ij+i, a = jt+i. 

Then P = 1 provided that jt yf Zt+i,it+i - Zt+i, St+i[jt+i] = Zt+i, and 
S't+i[zt+i] = jt. Otherwise, P = 0. 

Case 19’ jt+i = it+i, <J yf zz+i. 

Then P = Pr{S't+i[cr] = Zt+i|Z[^2}/Pi'{>5't+i[o’] yf 5't+i[zt+i]|Z[^2} Provi- 
ded that it+i yf 2jt, jt yf it+i~Zt+i, and S't+i[jt+i] = S't+i[zt+i] = it+i -jt, 
Otherwise, P = 0. 

Case 20’ jt+i = it+i, a = it+i- 

Then P = 1 provided that it+i = 2Zt+i, jt = Zt+i, and St+i[jt+i] = 
S't+i[zt+i] = Zt+i. Otherwise, P = 0. 
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Abstract. TriStrata appears to have implemented a variation of Mau- 
rer’s randomised cipher. We define a variation of Maurer’s cipher that 
appears to be similar to the TriStrata version, and show several crypt- 
analytical attacks against our variant. 



1 Introduction 

In 1990, Maurer introduced an information-theoretic provably-secure randomised 
cipher [Mau90]. Using a large pool of public random data, he shows how to use 
a key made up of multiple pointers into the pool to create a series of random 
streams to XOR into the plaintext. Someone with the same key can XOR the 
same random streams into the ciphertext to recover the plaintext; an analyst 
without the key must brute-force search the set of possible pointers to recover 
the plaintext. 

Recently, TriStrata Corporation [Tri98,Bec98] implemented a complexity- 
theoretic variation of that technique as a proprietary encryption algorithm. In 
this paper we first present what we infer to be the exact variation used by 
TriStrata, and take some initial steps in cryptanalysing the cipher. 

We should point out that our analysis does not apply to the original cipher 
proposed by Maurer, where the pool is chosen to be large enough that it is 
infeasible to read the entire contents of the pool. Unfortunately, Maurer’s cipher 
is not very practical — in his paper, he proposed digitizing the surface of the 
moon as one means of getting enough public randomness to make the cipher 
work — and hence not suited to present-technology implementation. We attack a 
simplified version, one which is more practical. 



2 The TriStrata Cipher 

The TriStrata Cipher is a key stream cipher with a two-part key. The first part 
of the key is a 1 Mbyte bytes) block of random data which we call the pool. 
For practical reasons the pool is not changed very often. In the TriStrata system, 
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it appears to be fixed for a long time. Additionally, the same pool is used by all 
clients in the system. 

The second part of the key consists of a number of pointers that point to 
a byte in the pool. Although our information is sketchy, we believe there are 5 
pointers. Each pointer is 20 bits long, so the pointers together make up a 100-bit 
key.^ 

To generate a byte of the key stream, the five bytes that the pointers point to 
are xORed together. Each of the pointers is then advanced by one byte position. 
If all pointers were to wrap around at the end of the pool, the resulting key 
stream would have a period of only bytes. We assume that the first pointer 
wraps at the end of the pool, the second pointer wraps around one byte from the 
end, etc. We can thus represent the keystream generation algorithm as follows: 

5 

ki = pool[(tj -I- i) mod (2^° — t -|- 1)] 
i=i 

where tj is the starting position of the j’th pointer and ki is the i’th byte of the 
key stream. The z’th byte of the ciphertext is formed by xORing the z’th byte 
of the plaintext and ki. This is one possible generalisation of the Morehouse 
variation of the Vernam cipher [Kah68]. 

There are of course many other possible variations. The number of pointers 
can be changed, as can the update rule for the pointers (increment one is the 
simplest update rule). In Maurer’s cipher, each pointer cycles through its own 
unique subset of the pool. These variations do not affect the spirit of our analysis, 
and many of our attacks will work against such variations. 

In Sections 3-5 we will discuss various attacks on this cipher. Most of our 
attacks are known-plaintext attacks, which corresponds to a known-keystream 
attack. Some of the attacks are of theoretical interest only (as certificational 
attacks), but several are efficient enough to be of practical concern. See Table 1 
for a summary of cryptanalytic results. 

3 Finding the Pointers from a Known Pool 

In many situations the pool does not change very often, and is not really a secret. 
For example, in the TriStrata system the same pool is used for all clients in the 
system, so it is plausible to assume that the pool is known to the attacker.^ 
Alternatively, we might be able to recover the pool using the techniques to be 
described later in Section 4. 

3.1 Exhaustive Search 

Given 16 bytes of the key stream, we can search for a set of tj values that would 
produce this key stream. It is very unlikely that one of the pointers performed a 

^ In comparison: Maurer gave an example that used 50 pointers and a pool of 2^^ bits. 
^ Note that in Maurer’s original system, this pool is assumed to be public information. 
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Table 1. A summary of our attacks on the Maurer- like stream cipher. 



Attack type 


Time 


Space 


Data 


Attack model 


Exhaustive search 




— 


16 bytes 


Known-pool 


Meet-in-the-middle 


257 


239 


16 bytes 


Known-pool 


Improved MITM 


257 


223 


16 bytes 


Known-pool 


Weak keys 


239 


239 


2 11" keys 


Known-pool 


Linear algebra 


< 2®° 


< 2^6 


2^0 bytes 


Known-pointers 


Exhaustive search 


< 2160 


< 2"16 


2^0 bytes 


Nothing known 


Vigenere analysis 


< 2®o 


< 2"16 


222-3 bytes 


Nothing known 


Diff. related-key 


< 2®o 


< 2^6 


221 bytes 


Related-key; nothing known 


Diff. related-key 


5-220 


— 


80 bytes 


5 related keys; known-pool 


Diff. fault 


239 


219 


16 bytes 


Fault attack; known-pool 



wrap-around within these 16 bytes, so we assume that this did not happen. We 
are thus looking for 5 sub-ranges in the pool of 16 bytes each that when xORed 
together results in the key stream. 

If all tj values are distinct, then we have to try ) « 2®^ different sets of 
values. If two tj values are the same their contributions to the key stream cancel 
out, and we look for a set of 3 pointers. The extreme case is when there are 
two pairs of tj values that are identical, in which case the key stream is just a 
sub-range of the pool. These special cases do not contribute significantly to the 
complexity of the attack. 

If one of the pointers did wrap around, the attack fails. We can repeat the 
attack on the next 16 bytes of the key stream, which will most likely succeed. 

We conclude that an exhaustive search over the pointer values for a known 
pool has a complexity of 2®^ steps. Simple optimisations can make each of these 
steps extremely efficient. 

3.2 Meet-in-the-Middle on the Pointers 

We can improve this if we use a meet-in-the-middle attack on the pointer space. 
We generate all pairs (^ 1 ,^ 2 ) and consider the key stream contributions made 
by these pointers. As (^ 1 ,^ 2 ) produce the same result as (^ 2 ,^ 1 ) we can restrict 
ourselves to the 2^® cases where t\ < t 2 - We store these pairs in a list, and sort 
them lexicographically by the key stream that they generate. We have 2^® pairs 
of 5 bytes each, which requires 2.5 Terabytes of memory. This list is computed 
once for a given pool and then stored. The complexity of this phase is 2^® steps. 

We then try all possible values for ts, t^, and t^ in a second phase. There are 
( 3 j « 2°' different values (again taking advantage of the fact that swapping 
two t values gives the same key stream) . From these three t values and the known 
key stream, we compute the key stream contribution of the first two pointers. 
We now look in the sorted list to see if there is a pair of values for (^ 1 ,^ 2 ) that 
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generates the required key stream. Each such search in the sorted list may be 
performed quickly using binary search or hashing. 

The complexity of the second phase of the attack is about 2^"^ steps, where 
each step requires a lookup in a sorted list of 2^® elements. 

We can make this attack practical by a simple divide-and-conquer technique. 
We split the work into 2^® tasks, each identified by a two-byte string a. For each 
task, we first generate all pairs (ti,t 2 ) as above whose contribution to the key 
stream start with a. There are about 2^® elements in this list. If we pre-compute 
a table that given a two-byte string points to all places in the pool where this 
two-byte string occurs, then we can construct this list in about 2®® st eps. The 
entire list requires about 40 Mbytes of memory, well within the range of even a 
standard desktop PC. 

The second phase is to try all possible values for ts, and ts with the 
restriction that their contribution xORed with the key stream starts with a. We 
try all possible values for tz and compute the desired first two bytes of the 
key stream contribution of and use the same pre-computed table to find these 
values. We then search for a suitable pair (^ 1 ,^ 2 ) in our list for which the rest of 
the key stream also matches. 

For any single task ct, the first phase has a complexity of 2®® steps, and 
the second phase has a complexity of about 2^^ steps if we use some simple 
ordering requirements to avoid equivalent pointer values. As we have to perform 
a total of 2^® tasks, the overall complexity of our attack is still 2^® x (2®® -|- 
2^^) « 2®^ steps. However, this improved version has a very reasonable memory 
requirement, and can be spread out over many machines. This attack should 
certainly be considered feasible for any reasonably sized organisation. 

3.3 Weak Keys 

If the pointer values are generated randomly, then about one in every 2^^ keys 
has at least two pointers with the same starting value. The contributions of these 
pointers cancels, and we are left with at most three relevant pointers. Using the 
techniques described here, these pointers can be found with very little work. 
Thus about one in every 2^^ keys is a weak key. 

With sufficient cryptanalytic targets, we could expect to break our first key 
after about 2®® steps. Build a table of 2®® elements by enumerating all possibili- 
ties for the first two pointers. Next, for each cryptanalytic target, check whether 
it forms a weak key by guessing the third pointer and doing a table lookup. This 
takes 2®® work to see if a key is weak; after 2®^ such attempts, we expect to find 
a single weak key which we can break. Thus, the total complexity is 2®® wor k 
and 2®® space, assuming at least 2^^ different keystream segments are available 
for analysis. 

4 Finding the Pool 

The attacks in Section 3, above, assumed that the pool was known to the ad- 
versary. However, as we now show, even when the pool is unknown, it may be 
possible to recover the pool using more sophisticated techniques, and then the 
techniques of Section 3 will apply. 
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4.1 The Known-Pointers Case: Linear Algebra 

Let us assume that we know the tj values for a given encryption. Then each 
known byte of the key stream gives us a linear equation in 5 values of the 
pool. After one million key stream bytes we expect to have a non-singular set of 
equations and can solve for the bytes in the pool. 

If we do not use the correct values for tj, then we can expect the set of 
equations to be contradictory very soon after the first million key stream bytes. 
This allows us to detect whether a set of values for tj is correct. 

If we are just interested in detecting whether a set of tj values is correct, we 
can perform this analysis for some subset of the bits in a byte. For example, it 
could be done for the least significant bit of each pool byte. This optimisation 
requires less memory and might be faster. We have not investigated the exact 
performance tradeoffs of this attack in detail. It might be possible to take advan- 
tage of the highly structured form of the equations instead of using an algorithm 
for general linear e quations. 



4.2 When Pointers are Unknown: Exhaustive Search 

We can use the result of Section 4.1 to mount an exhaustive search attack. For 
each possible set of tj values, perform the attack of Section 4.1. If the set of 
equations is contradictory, the values for tj are incorrect. If a consistent set of 
pool bytes is found, the full key has been recovered. This attack requires about 
steps, where each step consists of setting up just over a million equations 
and checking for a contradiction. 



4.3 Unknown Pointers: A Vigenere Analysis 

When the tj values are unknown, we can still recover the entire pool from about 
5-2^° bytes of known keystream by treating the cipher as a multiple-loop Vigenere 
cipher. We let 

fcij = pool[(tj -I- i) mod (2^° — z -|- 1)] 

so that ki = ki^i © ... © Each k.^j takes the form of a Vigenere cipher, and 
their XOR is a five-loop Vigenere cipher. Here we shall ignore the fact that the 
five streams are related, and simply treat them as independent values. 

Such ciphers can be readily cryptanalyzed by standard methods 
[Sin68,Tuc70], such as the application of linear algebra. In this way, with ab- 
out 5 • 2^*^ bytes of known keystream, we can completely recover the five streams 
fcjp, . . . , Once the kij are known, the initial pointer values tj and the con- 
tents of the pool can be readily obtained by inspection of the kij. 

The discussion in Section 2 suggested using a different modulus for each 
pointer, because otherwise the keystream ki would have a relatively short period 
of only 2^° bytes. This attack shows that using a different modulus for each 
pointer does not extend the security of the cipher very much: not more than 
by a factor of five, in any case. Also, we note that this attack does not work 
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against the variant where each stream has the same period, because we will not 
be able to obtain the required quantity of known keystream material. These 
observations suggest that it might not make much difference whet her we use 
the same modulus for the pointers or not. 

5 Differential Fault and Related-Key Attacks 

We next show that, when a few bits from the pool can be corrupted, improved 
attacks are available. We first discuss how to mount such attacks when the 
adversary can make related-key queries, and then we illustrate how random bit 
errors can enable a differential fault attack on the cryptosystem. 

5.1 Differential Related-Key Attack on the Pool 

Let us assume that the attacker can force a low-weight change in the pool. This 
can either be done by manipulating the distribution protocol, tampering with 
the stored pool, or waiting for a random bit error to occur. 

In this case, the attacker can determine the distances between the different 
pointers by observing where the erroneous key stream deviates from the proper 
key stream. If two Megabytes of key stream is available, this reveals the distance 
between the pointers. If the attacker knows where the error in the pool occurred, 
then the pointer values are revealed and the pool can be reconstructed using the 
attacks in Section 4. If the attacker does not know this, then he has to guess the 
position and has to perform some attack from Section 4 at most times. 

5.2 Differential Related-Key Attack on the Pointers 

If the pool is known, a differential attack on a pointer will reveal the position of 
the pointer. Let us assume the attacker flips the least significant bit of pointer 
1. The difference between the modified key stream and the original key stream 
uniquely determines the value of pointer 1. This attack can be repeated for each 
of the pointers, resulting in an attack that requires 5 related key queries and a 
complexity of 5 • 

The attack can be generalized to use fewer related key queries; see the next 
subsection for an example, -middle attack on the three-pointer cipher, as descri- 
bed in Sections 3.2 and 3.3; this latter computation will require 2^® work and 
220 

space. In sum, the generalized attack requires one related-key query, a few 
bytes of known text, 2^® work, and 2^° space. 

5.3 Random Error Attack 

We can extend this to the case where the attacker suspects there is a random bit 
error in the pointers. As before, the attacker can determine one of the pointers 
from the difference in the key stream. The remaining 4 pointers can be found 
with a meet-in-the-middle attack like the one in Section 3.2 with a complexity 
of 2^®. This is a kind of differential fault analysis, where a low- weight difference 
in the key input yields information that helps the attacker significantly. 
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6 Security Improvements 

The obvious way to improve the security is to increase the number of pointers. 
This will make many of the attacks harder to implement in practice, but also 
results in a slower cipher. A rough estimate shows that a version with the same 
size of pool but 14 pointers can be attacked in 2^^® steps using the meet-in-the- 
middle attack of Section 3.2. The resulting cipher would be slower by a factor 
of 3 or so, and still be vulnerable to the attack in Section 4.3. 

7 Uses of Maurer-Type Ciphers 

Simplified variants of Maurer’s cipher might be useful for very specific appli- 
cations. For example, let us suppose we need to encrypt a very long stream of 
data very rapidly. We generate a pool and a set of starting pointers using a 
cryptographically strong pseudo-random generator, and use the type of cipher 
we described here to encrypt the bulk data. Using 4, 8, or even 16-byte words 
instead of bytes would increase the efficiency of the algorithm even further. Such 
a construction would have to be care fully crafted and analysed. This deserves a 
lot of further study, and until that has been done this type of cipher should not 
be used. 

The cipher we analyzed is similar (in some ways) to other ciphers published 
elsewhere. For instance. Chameleon [AM97] uses four pointers into a pool of 
216 54 _l 3 it words; however, the primary difference is that Chameleon drives the 
pointers with another (slower) stream cipher, rather than generating them by 
incrementing. In fact, in Chameleon the random bit error property of Section 5.1 
is a feature, not a bug: it is exploited to detect traitors. Another paper [AVV95] 
desc ribes a “provably secure” stream cipher which uses a Maurer-like cipher 
as an internal component; there, they use eight pointers into a pool of 2® 512- 
bit words, and again, the pointers are updated as in Chameleon rather than by 
incrementing. We leave it as an open question to extend our analysis to these 
cases. 

8 Conclusion 

Simplified Maurer-like ciphers are not always secure. We have shown that many 
variations can be broken far more effectively than an exhaustive search of the 
key space. Several of our attacks are quite practical. 

Acknowledgements. We are grateful to David Bernier and to the anonymous 
reviewers for their helpful comments. 
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Abstract. This paper shows how suitable choice of cost function can 
signihcantly affect the power of optimisation methods for the synthesising 
of Boolean functions. In particular we show how simulated annealing, 
coupled with a new cost function motivated by Parseval’s Theorem, can 
be used to drive the search into areas of design from which traditional 
techniques, such as hill-climbing, can hnd then find excellent solutions. 



1 Introduction 

Cryptography needs ways to find good Boolean functions so that ciphers can re- 
sist various forms of cryptanalytical attack (particularly linear cryptanalysis and 
differential cryptanalysis). The main properties required are high non-linearity 
and low autocorrelation [9]. Recent work [7] has investigated and compared the 
use of random search, hill-climbing, genetic algorithms and a hybrid approach 
for the derivation of Boolean functions with high non-linearity. Other work [9] 
has investigated the use of enhanced hill-climbing methods to derive balanced 
Boolean functions with high non-linearity and low autocorrelation. 

In this paper we investigate the use of another heuristic technique, namely 
simulated annealing [4] (based on the annealing process for metals) . The techni- 
que has been used by other researchers to break simple substitution and trans- 
position ciphers [1,2] and to cryptanalyse systems based on the NP-hardness of 
discovering a trapdoor secret, e.g. attacks on the Permuted Perceptron Problem 
(PPP)[5j. In optimisation-based methods the cost (or fitness) function plays a 
crucial role. For highly non-linear Boolean function design extant optimisation 
techniques methods seek to maximise the non-linearity directly. In this paper we 
introduce a new cost function (motivated by Parseval’s Theorem) that enables 
the search to reach areas of the design space from which hill-climbing techniques 
can be used more effectively. Using this new and simple cost function we are 
able to converge on areas of the solution space with high non-linearity and low 
autocorrelation . 

The paper is structured as follows. In Section 2 we recap on basic Boolean 
function terminology. In Section 3 we outline the notion of local search, describe 
the simulated annealing algorithm, discuss the cost functions currently used and 
provide a template for enhanced cost functions. Section 4 shows how using a 
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two-stage strategy using our new cost function at the first stage provides better 
results than direct maximisation of non-linearity alone. It provides comparisons 
with functions derived from random generation followed by hill-climbing (which 
is far more effective than random generation alone as shown in [8]). In Section 4.2 
we show how the basic technique can be significantly improved by suitable pa- 
rameter selection. 

2 Boolean Functions 

This section summarises the basic cryptographic definitions needed. We shall 
denote the binary truth table of a Boolean function by / : Z 2 — >■ Z 2 mapping 
each combination of n binary variables to some binary value. If the number 
of combinations mapping to 0 is the same as the number mapping to I then 
the function is said to be balanced. The polarity truth table is a particularly 
useful representation for our purposes. It is defined by f{x) = Two 

functions / and g are said to be uncorrelated when = 0- F so, 

if you approximate / by using g you will be right half the time and wrong half 
the time. An area of particular importance for cryptanalysts is the ability to 
approximate a function / by a simple linear function. One of the cryptosystem 
designer’s tasks is to make such approximation as difficult as possible (by making 
the function f suitably non-linear). We shall make use of the following terms: 

Linear Boolean Function. A linear Boolean function, selected by a; G Z 2 , is 
denoted by L^{x) = uiiXi © OJ 2 X 2 • • • © iUnXn 
AfRne Function. The set of affine functions is the set of linear functions and 
their complements A^^c{x) = L^{x) © c. 

Walsh Hadamard Transform. For a Boolean function / the Walsh-Hada- 
mard Transform F is defined by F{lo) = f{x)Luj{x). We denote the 

maximum absolute value taken by the transform by WFlmaxif) = niax;jg 2 :~ 
F{oj) . It is related to the non-linearity of /. 

Non-linearity of f. The non-linearity Nf of a Boolean function / is the mini- 
mum distance to any affine function. It is given by 
Nf=^{2^-WH^ax{f)) 

Parseval’s Theorem. This states that ^ consequence 

of this result is that W Fd^axif) > 2^ . This motivates our new cost function. 
Autocorrelation. The autocorrelation ACf of a Boolean function / is given 

by ACf = maxg Xa, f{x)f{x © s) Here x and s range over ZJ and x © s 
denotes bitwise XOR (and so produces a result in Z^). 

3 Discrete Optimisation Approaches 

3.1 Overview 

Optimisation techniques work either with a single candidate solution or with a 
population of candidate solutions. Both have been used in the design of Boolean 
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functions, for example hill-climbing (single) [9] and genetic algorithms (popu- 
lation) [8]. Techniques working with a single solution are usually termed local 
since they consider moving to solutions that are ‘close’ to the current one (i.e. 
are in the local neighbourhood). In contrast, population-based techniques are 
typically described as global. The distinction is not essential (with suitable ab- 
straction population based approaches can also be viewed as local) but we shall 
follow convention and refer to the simulated annealing-based search we use in 
this paper as a local search technique. 

The optimisation is carried out with respect to some ‘evaluation function’ 
that measures how ‘good’ a candidate is. The terms ‘fitness function’ and ‘cost 
function’ are also used. ‘Fitness’ is used most naturally for maximisation pro- 
blems and ‘cost’ for minimisation problems. To work effectively, an evaluation 
function must provide sufficient guidance to the search process. In formal terms 
we require reasonable local smoothness (essentially the fitness/cost values of 
neighbouring solutions are not too different to the value of the current one) . The 
non-linearity function Nf is reasonably smooth [8] . 

We aim to provide balanced functions with high non-linearity (and low auto- 
correlation). We shall adopt a strategy that starts with a balanced but otherwise 
random function and moves only to neighbouring solutions that preserve balance. 
We define the neighbourhood of a balanced function / to be all functions g ob- 
tained from / by swapping any two dissimilar values associated with two domain 
elements x, y : Z 2 (we shall refer to the normal representation / and the polar 
representation / as convenient). In formal terms, g is in the neighbourhood of / 
if 3 x,y G Z 2 such that 

1- f{x) yf f {y) 

2. g{x) = f{y),g{y) = f{x) and 

3. yzGZ^\ {x, y} : g{z) = f{z) 

A local search starts at some initial solution /o and advances through a series 
of neighbouring solutions /i • • • fend- Restrictions may be placed on the relative 
fitnesses of consecutive fi. These determine the nature of the search. Millan et 
al [9] characterise the fitness of a solution / by the pair of values (Nf,ACf). 
For non-linearity a strong strategy allows only moves that strictly improve Nf, 
i.e. we must have IV/i+i > Nf^. A weak strategy requires only that moves do 
not make the non-linearity worse, i.e we require only > Nf^. Finally it is 

possible to impose no restrictions on non-linearity. Similar considerations apply 
to autocorrelation, e.g. a strong strategy would require that < ACf^ 

(since improving here means smaller autocorrelation). Millan et al [9] describe 
nine search strategies, each combining a strategy for non-linearity and a strategy 
for autocorrelation. Imposing some element of restriction corresponds to what 
is generally known as hill-climbing. The most restrictive strategy is (strong, 
strong). The most permissive is (none, none) — essentially allowing a random 
walk. 

A problem with hill-climbing methods is that they can get stuck in local 
optima. Some modern heuristic local search techniques work by encouraging 
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improving moves but allowing (or, with some techniques, forcing) some worse- 
ning moves to be accepted as a means of escaping such local optima. Simulated 
annealing is one such technique and is described in Section 3.4. 

In this paper, a minimisation framework is the most natural. We shall opti- 
mise with respect to two different cost functions in a two-stage search. 

3.2 Cost Functions 

Current optimisation work in non-linearity attempts to improve the non-linearity 
directly. Equivalently (see the definition of Nf in Section 2), it seeks to minimise 
the cost function 

COSt(/) = WHmaxif) 

Essentially, the search considers the effect of a move only on those extreme (or 
near extreme) values of the Walsh Hadamard Transforms F^u) for the current 
solution. A more indirect approach can derived by considering Parseval’s theorem 
below. 

^ {F{u;)r = 2 ^" 

This constrains W Hmaxif) = niaxi^g^n F{oj) to be at least 2^. It would 
achieve this bound when for each oj F{u}) = 2^ In practice this bound may be 
impossible. When some F{uj) are greater than this ideal bound, Parseval’s theo- 
rem ensures that some F{uj) must be smaller than it. Thus, it would appear that 
attempting to restrict the spread of absolute values achieved is well-motivated. 
This suggests a cost function of the following form: 

R 

cost(/) = I F{uj) - 2^ 

The value R is positive and can be varied. In the experiments reported here 
we have mostly used R = 3. Note that it does not necessarily follow that a 
reduction in our cost function gives rise to an increase in non-linearity but if the 
range of absolute values is small, then the maximum value will be small too. In 
section 4.2 we shall further generalise this cost function. 

3.3 Calculating Effects of Moves 

Every time a move is considered or accepted we must recalculate the values 
for the various F{uj). It is far more efficient to calculate the changes for each 
transform using some simplifying equations [9]. If swapping the values of /(x) 
and f{y) is a valid move (see Section 3.1) then each Walsh Hadamard Transform 
F(uj) is changed by an amount 

= -2/(x)T(^(x) - 2f{y)L^{y) 
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^F{uj) ^ {“4,0, +4} 

Similar formulae are also available for dealing with changes to correlation ele- 
ments rf(s) = Y.X ® «)• 

3.4 Simulated Annealing 

Simulated annealing is a local search technique that allows escape from local 
optima. From the current state a move in a local neighbourhood is generated 
and considered. Improving moves are always accepted. Worsening moves may 
also be accepted probabilistically in a way that depends on the temperature T 
of the search and the extent to which the move is worse. A number of moves are 
considered at each temperature. Initially the temperature is high and virtually 
any move is accepted. Gradually the temperature is cooled and it becomes ever 
harder to accept worsening moves. Eventually the process ‘freezes’ and only 
improving moves are accepted at all. If no move has been accepted for some time 
then the search halts. The technique has the following principal parameters: 

— the temperature T 

— the cooling rate a £ (0, 1) 

— the number of moves JV considered at each temperature cycle 

— the number MaxFailedCycles of consecutive failed temperature cycles 
(where no move is accepted) before the search aborts 

— the maximum number I Cm ax of temperature cycles considered before the 
search aborts 

The initial temperature Tg is obtained by the technique itself. The other 
values are typically supplied by the user. In the work described here they remain 
fixed during a run. More advanced approaches allow these parameters to vary 
dynamically during the search. The simulated annealing algorithm is as follows: 

1. Let Tg be the start temperature. Increase this temperature until the per- 
centage of moves accepted within an inner loop of N trials exceeds some 
threshold (e.g. 95%). 

2. Set IC = 0 (iteration count), finished = false and I LSinceLast Accept = 0 
(number of inner loops since a move was accepted) and randomly generate 
an initial current solution fcurr- 

3. while(not finished) do 3a-3d 

a) Inner Loop: repeat N Times 

i- /new = generateMoveFrom(Zcurr) 

ii. calculate change in cost 

2lcost ~ cost (/new) COSt(/curr) 

iii. If Acost < 0 then accept the move, i.e. /curr = /new 

iv. Otherwise generate a value u from a uniform(0,l) random variable. 
If exp“'‘‘^‘=“%^ > u then accept the move, otherwise reject it. 

b) if no move has been accepted in most recent inner loop then 
I LSinceLast Accept = I LSinceLast Accept + 1 
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c) T = T *a, IC = IC +1 

d) if (ILSinceLastAccept > MaxFailedCycles) or {IC > ICmax) then 
finished = true 

4. the current value of / is taken as the final ‘solution’. 

Note that as T decreases to 0 then also tends to 0 if Acost > 0 

and so the chances of accepting a worsening move become vanishing small as the 
temperature is lowered. 



3.5 Two-Stage Approach 

Our technique can now be described very simply: 

1. carry out a search using simulated annealing to reach a solution fga with a 
very low value of the uniform cost function. Calculate the non-linearity Nj~ 
of this solution. 

2. hill-climb from f^a to reach a solution fend that is locally optimal with 
respect to non-linearity (as in [7]). Thus we minimise W Hmax{f) 

We view the initial stage as ‘getting in the right area’. Spending too much effort 
at this stage might actually be counter-productive. Since the initial stage is just 
a means to an end, we are free to make pragmatic concessions with respect to 
parameter values. Thus, for example, it is often recommended that N should 
be equal to the size of the neighbourhood. Even for small problems this would 
consume much computational effort. We are not bound by this recommendation 
and choose much smaller N . In fact n = 400 was used for all our experiments. 

4 Experimental Results 

4.1 Comparison of Approaches 

In this section we detail the results of applying the technique to the derivation 
of balanced functions with n = 8. The best known bound for the non-linearity 
is currently 118. The best boolean function demonstrated has non-linearity of 
116. Four techniques have been examined: random generation followed by hill- 
climbing using the traditional cost function; simulated annealing using the tra- 
ditional cost function; simulated annealing using the new uniform cost function; 
and simulated annealing using the new cost function followed by hill-climbing 
using the traditional cost function. We replicated each technique 400-fold. The 
result of each run is a non-linearity/autocorrelation pair (Nf,ACf). For the 
simulated annealing components the search was terminated after 300 tempera- 
ture cycles (i.e. inner loops) or else after 50 consecutive cycles had not produced 
an accepted move. At each temperature cycle 400 moves were considered (as 
indicated earlier). A temperature factor a = 0.8 was used throughout. 

Figure 1 shows the results of applying strong hill climbing from randomly 
chosen initial starting points using the traditional cost function (i.e. maximising 
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Fig. 1. Hill-Climbing with Fitness Nf 



the non-linearity Nf directly). No run attained a non-linearity of 114 or more. 
No run attained an autocorrelation value of 40 or less. 

Figure 2 shows the results for applying simulated annealing alone using the 
traditional cost function. The results are unaffected by following simulated an- 
nealing by hill-climbing. Here we see that results are more bunched with respect 
to non-linearity (all but one have non-linearity of 112). There are a very small 
number of runs giving values better than for hill-climbing alone. 

Figure 3 shows the results of applying simulated annealing alone using the 
new cost function and Figure 4 shows the results of following this new optimisa- 
tion by a traditional hill-climb. Now we hit functions with non-linearity of 116 
occasionally and some have relatively low autocorrelations. 

The results show that the two-stage approach using local optimisation is 
highly effective. Results have been achieved for non-linearity and autocorrelation 
that were not obtained using hill-climbing and the traditional cost function. In 
Millan et al’s more extensive hill-climbing [9] no trial resulted in Nf = 116 (when 
maximising Nf) and no trial resulted in ACf = 32 (when minimising ACf). As 
we shall show below, it is possible to improve on the results obtained so far. 
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Fig. 2. SA only using Traditional Cost Function (Unaffected by addition of Hill- 
climbing) 
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Fig. 4. SA with New Cost Function and Hill-climbing with Traditional Cost Function 



4.2 Tuning the Technique 



The cost function is a means to an end. Indeed, we chose an initial new cost 
function for which a decrease did not necessarily correspond to an increase in 
non-linearity. Its purpose was to get the search to the right area. In using optimi- 
sation techniques across a range of problems we have found that experimentation 
with the cost function frequently produces better results. For this problem we 
have found that a more effective form of cost function is given by: 



cost(/) = ^ F{uj) —(2 2 -I- at) 



where K can be varied. Figure 5 shows the results of using K = A and 
K = —12 and a = 0.9 (other parameters as before). The effects of such tuning 
are marked. The technique has produced values that were not achieved by any 
hill-climbing strategy (or indeed by the work reported here so far). The results 
are all the more remarkable since autocorrelation was effectively ignored as (a 
conscious) part of the search. The values of K clearly influence which parts 
of the design space are reached. For K = —12 the search has tended to find 
solutions with lower non-linearity than for K = A but generally lower (and 
so better) autocorrelation. Also, examples of functions with autocorrelation of 
16 have been found easily by the search. Small-scale experimentation has been 
carried out with various K values and the results are presented in Figure 6. The 
results presented here are for illustration only. More extensive experimentation 
is required. We leave this as future work. 
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Function for K = 4,-12 (400 runs) 





Non-linearity I 


■^Crnax 


112 114 H6| 


112 114 116 


112 114 H6| 


112 114 H6| 


48 


0 


0 


0 


0 


1 


0 


0 


0 


1 


0 


0 


0 


40 


3 


2 


2 


3 


2 


3 


2 


5 


2 


2 


2 


1 


32 


19 


10 


6 


15 


8 


2 


15 


9 


3 


11 


12 


6 


24 


45 


2 


0 


53 


2 


0 


51 


2 


0 


44 


3 


1 


16 


11 


0 


0 


11 


0 


0 


10 


0 


0 


18 


0 


0 




K: 


=- 


14 


K 


=- 


12 


K 




10 


K=-8 1 




Non-linearity I 


■^Crnax 


112 114 H6| 


112 114 116 


112 114 H6| 


112 114 H6| 


48 


0 


0 


1 


0 


3 


2 


0 


8 


5 


5 


12 


1 


40 


0 


5 


13 


3 


19 


20 


6 


32 


15 


12 


43 


1 


32 


2 


27 


42 


5 


17 


27 


3 


16 


15 


6 


19 


1 


24 


0 


0 


10 


1 


1 


2 


0 


0 


0 


0 


0 


0 


16 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 




K 


:=- 


6 


K 


l=- 


■4 


K=- 


■2 


K=0 1 



Fig. 6. Results for n = 8 with various K values (100 runs) 



4.3 Results for Higher Values of n 

We have applied the technique with the tunable cost function to the synthesis of 
Boolean functions with n = 9, 10, 11, 12 variables. The number of inner cycles N 
was 200 (except for n = 12 where 400 cycles were carried out) with 400 moves 
considered in each cycle as before. The overall aim of the work was to generate 
highly non-linear Boolean functions (low autocorrelation values obtained were 
accidental). Figure 7 summarises how our technique compares with the best 
results obtained so far by other techniques (both constructive techniques and 
heuristic optimisation approaches) with respect to non-linearity. 

For lower values of n our technique has no difficulty in equalling the best 
produced so far by any technique. We have not yet carried out extensive experi- 
ments with respect to parameter variation and make no claims to optimality of 
our results above. Experience with other problems has shown that cost function 
variation generally leads to improvements. Hard and fast comparisons with other 






Two-Stage Optimisation in the Design of Boolean Functions 



251 



Method 


4 


5 


6 


7 


8 


9 


10 


11 


12 


Lowest Upper Bound 


T 


12 


26 


56 


118 


244 


494 


1000 


2014 


Best Known Example [11,3] 


4 


12 


26 


56 


116 


240 


492 


992 


2010 


Bent Concatenation 


4 


12 


24 


56 


112 


240 


480 


992 


1984 


Genetic Algorithms [8] 


4 


12 


26 


56 


116 


236 


484 


980 


1976 


Our Simulated Annealing 


4 


12 


26 


56 


116 


238 


484 


984 


1990 



Fig. 7. Comparing the Non-linearity of Balanced Functions 



optimisation work is difficult since the simulated annealing is likely to be more 
computationally complex (here 80000 function evaluations before hill climbing) . 
Nevertheless, our techniques seems to compare favourably with genetic algo- 
rithms for the higher values of n (work performed at the request of the referees). 
The results are encouraging and indicate that local search has good potential as 
a synthesis technique. 

For reference purposes we include below the results of our experiments for 
n = 9,10,11,12. For n = 9, 10 we provide the results of (small-scale) random 
function generation followed by hill-climbing with respect to non-linearity (this is 
far better than random generation alone as demonstrated in [7]). For n = 11, 12 
we simply present the results obtained by our technique to allow comparisons 
by future researchers. 
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Fig. 8. 400 runs for n — 9, a = 0.9 and K = —12 



5 Conclusions and Further Work 

The work reported in this paper has shown how local search can be used to 
generate boolean functions that have both high non-linearity and low autocor- 
relation. Further work is needed to determine optimal parameter values for the 
technique. The values reported here are for illustration only. Indeed since the 
efficacy of our technique is significantly affected by parameter values we propose 
to investigate the use of adaptive cost functions. With this approach the search 
is continually monitored and parameters varied dynamically. The parameters 
for the annealing algorithm have been chosen to allow a reasonable amount of 
experimentation. The value N = 400 is extremely small compared with recom- 
mended values (and the larger the number of Boolean variables n the worse is 
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Fig. 9. 400 randomly generated functions followed by Hill-climbing for n = 9 
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Fig. 10. 100 runs for n = 10, a = 0.9 and K = —16 
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Fig. 11. 100 randomly generated functions followed by Hill-climbing for n = 10 



the discrepancy). Also, the values used for the cooling factor a (0.8 and 0.9) are 
very small compared with the bulk of successful annealing work. The results so 
far show considerable promise but further work is needed to tune the technique 
effectively. The use of global optimisation techniques such as genetic algorithms 
in conjunction with the new cost function would also seem worthy of investiga- 
tion. We aim to extend the local simulated annealing approach to incorporate 
other desirable cryptographic properties. 
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Fig. 12. 100 runs for n = 11, a = 0.9, K — —24 and R = 2.5 
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Fig. 13. 10 runs for n = 12, a = 0.9, K = —28 and R = 3.0 



As is typically the case with heuristic techniques, augmenting the basic ap- 
proach with hill-climbing has been found to be an excellent idea. The simulated 
annealing simply provides a means of locating good areas from which to hill- 
climb. We have found that adopting a two-stage strategy is of use in other 
security problems too. 

Perhaps the most important point of this paper is that the cost function 
matters. The authors have recently applied optimisation techniques to a variety 
of security related problems. Experimentation with cost functions has typically 
led to better results (in some cases a radical improvement is obtained). We would 
recommend such experimentation to all. 

We are currently working on the use of optimisation techniques to derive 
cryptographic artifacts which satisfy excellent publicly stated criteria but which 
also satisfy secret malicious criteria! 
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Abstract. In this paper, we describe a novel Sensor-Based Intrusion Detection 
Engine - SenIDS, which can process different security-related data types with 
various intrusion detection methods. With SenIDS, we can integrate the misuse 
intrusion detection method and anomaly intrusion detection method into a 
single structure and algorithm. SenIDS constructs a framework for intrusion 
detection, which includes sensors (a complex structure including a sub-program 
and fields representing desired event record source, the user and program 
activity, variable names and values, etc.) The sensor structure possesses greater 
ability to detect and handle a variety of complex intrusion scenarios. The 
intrusion detection rule consists of one or more sensors. Alarms in such rules 
can be triggered by various intrusion instances. Such processes on these sensors 
and rules are managed by a Trigger Engine automatically. The Trigger Engine 
can manage different kinds of sensors and rules for triggering. This enables 
SenIDS to integrate different intrusion detection methods. 



1 Introduction 

Presently, network intrusions and computer-initiated abuse have increased 
dramatically due to the popularity of the Internet and the transparency of the network 
users and technology. In response, many tools have been developed to secure 
networks, among which are intrusion detection systems (or IDS). Intrusion Detection 
systems are software systems to detect the intrusion and anomalous activities through 
the analysis of the security-related data. 

Currently, IDSs usually process network management or security-related data such 
as audit trail data, network traffic, application log, system data collected by dedicated 
programs, etc. to detect intrusions. According to the methods, intrusion detection 
technologies can be broadly categorized into anomaly detection and misuse detection. 

Anomaly IDSs attempt to establish normal behavior profiles for users, hosts, 
programs and processes of a network. Significant deviations of activities to the 
established behavior profiles are broadly classified as instances of intrusion. Several 
IDSs, like HAYSTACK [1], MIDAS [2], employ such an anomaly detection 
approach. Recently, Lane et al. [3] modeled the user behavior with the sequence (an 
ordered, fixed-length set of temporally adjacent actions). Also, Ko et al. [4] 
developed a specification-based language to specify the intended behavior of security- 
critical programs, with specifications indicating the desired activity pattern of the 
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program. The premise here is that every activity beyond the specification is likely to 
be an attack. The main difficulties in anomaly detection are the feature sets (which are 
used to generate the profile) must have the essential capability to differentiate 
malicious activities from the normal behavior. 

Misuse IDSs compare the sub-set of specific security-related data with predefined 
intrusion signatures to indicate such intrusions. For example, Lindqvist et al. [5] used 
a Production-Based Expert System Toolset for misuse detection. Mounji [6] 
developed a rule-based language (RUSSEL) to describe the signatures and rules of 
intrusions. Ilgun [7] designed USTAT to analyze the system state transition to detect 
the intrusions. Colored Petri Nets is used by Kumar [8] to provide a pattern matching- 
based computational model. The main limitations are that (a) unknown intrusions are 
hard, if not impossible to detect, and (b) intrusion signatures are difficult to construct. 

This project aims to integrate both anomaly and misuse detection methods into a 
single framework. The SenIDS intrusion detection engine has the ability to process a 
variety of security-related data with a combination of various algorithms. With 
SenIDS, we can employ anomaly and misuse detection methods to process different 
data types to detect a single intrusion scenario. Here, we introduce the concept of 
sensor. This sensor is a complex structure with a sub-program and fields to represent 
user or program activities, variable names and values, etc. The detecting rule consists 
of one or more sensors. Such a rule has the enhanced ability to detect reliably various 
intrusion scenarios. The Trigger Engine (or TE) is employed to activate the sensors 
with security-related events. The TE can create, save, and delete the triggered sensors 
and rules. 



2 Sensor-Based Intrusion Detection Engine - SenIDS 

SenIDS is an intrusion detection engine. It has enhanced ability to process various 
security-related data types with various detecting algorithms. 

The security-related data, including audit trail data, network packet, application 
log, and system data, etc. will be collected by data collector and fed to the SenIDS. In 
order to process different kinds of security-related data, these data must be convert to 
a standard format before fed to SenIDS. The standard format (like the format 
proposed in [9]) consists of variable-length fields; each field consists of a field name 
and a value. The field name must be predefined for processing by the SenIDS. Every 
event record type should have one field with the name „source“ to indicate the type of 
the data, such as audit trail and network packet. SenIDS can process different types of 
security-related data according to this field. 

These event records are transferred to the selected sensors for processing. The 
sensors are made up of some fields and a sub-program; one or more sensors compose 
a detecting rule, which is used to detect an intrusion instance. A Trigger Engine will 
be employed to manage the event records, sensors and rules. The Trigger Engine can 
pre-select the waiting sensors (the sensor that is waiting to be triggered) to trigger, try 
to trigger the selected sensor with event record, update the waiting sensor, and delete 
the waiting sensors. Also, the Trigger Engine can create the triggered rules, update the 
triggered rules and delete the triggered rule. The Trigger Engine manipulates the 
sensors and rules according to their type and their „return“ instruction automatically. 
When certain rule is fully fired, the TE will raise an alarm. 




A Novel Engine for Various Intrusion Detection Methods 



257 



3 Sensor and Rule 




Fig. 1. Structure of Sensor 

The approach taken in SenIDS is based on the sensor concept. Sensor is a complex 
structure including a sub-program and fields representing desired event record source, 
the user and program activity, variable name and values, etc. Every detecting rule 
consists of one or several sensors to detect an intrusion instance. 



3.1 Structure of Sensor 

The sensor of SenIDS is configured as a data structure, containing several fields (see 
Fig. 1). The fields include: 

• Type: indicates the type of the sensor. (We will talk about the sensor type in 
next section) 

• Source: indicates the type of the event record, which is desired by the sensor. 
TE will compare this field with the source field of the event record to pre- 
select sensors for triggering. 

• Sensor_id: represents the unique id of the sensor. 
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• Pre_select_name and pre_select_value: are the pre-selection criteria. 

Pre_select_name is the field name that is corresponding to one field name of 
the event record. Pre_select_value is the desired value of that field that 
should be the same as the value of that field in the event record. These two 
fields and source field are used for pre-selection. Pre-selection aims to 
shorten the triggering process time by pre-select the appropriate sensors for 
triggering instead of trying to trigger every sensor with the event record. 
When the system event occurs, the TE will try to find the appropriate sensors 
to trigger, whose source field is the same as the event record and the 
pre_select_name and pre_select_value have the corresponding field in event 
record. Pre_select_value is a list that includes all possible values to be 
matched. 

• Variable _list: describes an array of variable names and values. The 
variable_list stores the information generated by the triggering process of 
sensor. This information will be used to trigger the other sensors. Different 
sensors can transfer information to each other by variable_list field of 
sensors. 

• Pre_sensor_list and post_sensor_list describe the sensor_ids of sensors that 
must be triggered before or after the current sensor is triggered. With these 
two fields, sensors can be linked together to construct rules for detecting 
complex intrusion instances. 

• Function: is the name of a sub-program that will process the event record 
data to trigger the sensor. The sub-program is stored in a separated file. With 
this sub-program, detecting „rules“ in the sensor structure can be excluded. 
It, therefore, presents a more flexible means to write „rules“ for triggering 
the sensor in a separated file without the need for a special language. We can 
construct a function library that contains the common functions. These 
functions can be employed to construct the sub-program of sensors to 
eliminate the duplicated programming. 

With these fields, the sensor possesses greater ability to detect and handle a variety 
of complex intrusion scenarios. 



3.2 Intrusion Detection Rule 

The intrusion detection rule consists one or several sensors that are designed to detect 
a single misuse, violation or intrusion activity. The intrusion detection rules can 
represent the intrusion signatures; can be used to establish behavior profiles and 
detect the anomaly; can be designed to detect violations and other malicious activities. 
The intrusion detection rules are stored in the intrusion detection Rule Table, which 
will be consulted for the rules and sensors by Trigger Engine. 



3.3 Classification of Detecting Rule 

The data structure design approach enhances the sensor’s ability to be used for 
detecting different types of intrusions (both simple and complex). With sensors, we 
can construct the following types of rules to be employed in SenIDS. 
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3.3.1 Intrusion Signature 

Intrusion signature specifies the features, conditions, arrangements and 
interrelationships among events that lead to a break in or other misuse [8]. The 
intrusion signature is abstracted from the past attacks, known weakness 
(vulnerabilities), and security policy. Intrusion signature is employed by misuse 
intrusion detection system to compare with the security-related data in order to detect 
intrusion activities. In SenIDS, the intrusion signature can be constructed using a 
sequence of sensors. Usually, the intrusion consists of a sequence of steps, which 
leave a series of system events in the log. To detect such an intrusion, a sequence of 
sensors to scan the system events is employed, which compose intrusion detection 
rule. The pre_sensor_list and post_sensor_list fields of sensor represent the 
relationship between sensors in an intrusion signature. Sensors in the same intrusion 
signature can transfer messages between each other via the variable_list. In this way, 
the combinations of these sensors (in various orders and sequences) can be utilized to 
represent complex intrusion signatures. 

3.3.2 Behavior Profile 

Anomaly intrusion detection method usually establishes the behavior profiles of users, 
programs and system activities, etc.; try to detect the significant deviation of the real- 
time activity to the established profile to identify the intrusion. Such behavior profiles 
of users, systems, programs and processes can also be defined from sensors. The 
sensor can collect profile values, which can be stored in variable_list and updated to 
the triggered rule. We can define the threshold values in the sub-programs of such 
sensors; when exceed, that particular sensor will raise an alarm. 

3.3.3 System Policy and Anomaly Alarm 

Some activities, which are normal in other sites, may violate your company’s policy. 
Sensors can be used to represent the system policy unique for different sites. They can 
be used to scan for after-the-fact violations of system policy. For example, a sensor 
can be easily designed to search for login events that occurred later than lOiOOPM. 
Anomalies can also be detected with the sensors. For example, a sensor can be 
constructed to trigger by continuous failed logins within a three-minute window. 

3.3.4 Others 

The sensor provides us a framework to process security-related data. With sensors, we 
are free to employ any algorithms to process the event records. For example, we can 
design a sensor to find the new user of the system and we can also use sensor to 
collect the information of how many users have logged into the system for a day. 



4 Algorithms of SenIDS 

As mentioned earlier, in SenIDS, the Trigger Engine (or TE) controls the sensors and 
rules. This TE is the major component of SenIDS. The TE generates and manages the 
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wait_sensor table {WS table) and triggered_rule table (TR table). Wait_sensor table 
(1^5 table) stores the sensors that are waiting to be triggered. These sensors include 
the first sensors of every rules that are expected to be triggered to detect a new 
suspect intrusion instance and the sensors of the triggered rules that are expected to be 
triggered in order to fully detect the current intrusion instance. Triggered_rule table 
(TR table) stores the triggered rules; each triggered rule corresponds to a suspect 
intrusion instance. Every record in the TR table is a suspect intrusion instance, which 
includes the identification number of the instance, variable values received from the 
previous triggered sensors, the event records that triggered previous sensors, etc. TE 
can pre-select the suitable waiting sensors in table to be triggered; try to trigger 
the waiting sensors with the event record; save the triggered rules’ information into 
the TR table', or delete the triggered rules and sensors. 



4.1 How Trigger Engine Works 

When SenIDS executes, the TE will read the first sensor of each rule in Rule table and 
write them to the table. These sensors are waiting to be triggered in order to find a 
new suspect intrusion instance. When one of these sensors is triggered, we think a 
suspect intrusion instance is raised; TE will generate a new triggered-rule in TR table, 
and add the next sensor of the same rule to the VES table that will wait to be triggered 
in order to fully detect the instance. 

When a system event arrived (Eig. 2.), TE will try to trigger each waiting sensor in 
WS table. This is done by, firstly, TE pre-selecting the suitable sensors according to 
the source, pre_select_name and pre _select_value fields of the sensors. Then, the TE 
will run the sensor sub-program with the system event record to determine if the 
sensor can be triggered. 

If the sensor cannot be triggered, TE will simply ignore the current sensor and try 
to select another sensor to trigger. If the sensor is triggered, TE will process the sensor 
and rule according to the type of the sensor and the return message of the sub- 
program. The return message of the sensor sub-program includes an action field to 
instruct the TE how to process the current sensor. For example, if it is a multi-sensor 
intrusion signature, it will be sent to the TR table along with the system event and the 
return messages of the sub-program. At the same time, the sensors in the 
post_sensor_list of the triggered sensor will be written to the ITS table, and wait to be 
triggered in order to fully detect that instance. We will talk about the TE actions 
according to the different return messages in next section. 
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Fig. 2. Flow Chart of TE 



4.2 Messages between Sensors and TE 

The sensor can send messages to TE, as well as to other sensors of the same rule. 
When TE runs the sub-program, the sub-program will return some message back to 
TE. The message includes action to instruct TE what to do about the current sensor 
and some variable values that should be save to the variablejlist for the use of other 
sensors of the same rule. 

The action returned by the sensor sub-program is an instruction that instructs TE 
what to do about the current sensor. Such actions are „create“, „cleanup“, „fail“, 
„active“, „alarm“, „next“, „reset“, etc. „Create“ instructs the TE to create a new 
triggered rule in TR table. „Cleanup“ instructs the TE to delete the current triggered 
rule and sensors. „Fail“ tells the TE that the current sensor is not triggered by that 
event. „Alarm“ records an detected intrusion event. „Active“ instructs the TE to 
maintain the current waiting sensor in the WS table and update the information in the 
TR table. Other action values can be used in different situations. 

The variable values returned by sub-program are used to transfer information 
between sensors of the same rule. They may include, for example, the time-stamp 
when the specific event occurs; the object file or system resource that should remain 
unchanged throughout the same rule, and other information to unify the triggering 
process in the same rule. 
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4.3 Life-Span of Triggered Rule 

In order to manage the population of the triggered rules and manipulate different 
types of rules, we must consider the life-span of the triggered rules. The life-span of 
the triggered rules refers to the generation and termination of triggered intrusion rules 
in the TR table. It is very important for manipulating different rule types. 

When the first sensor of a rule stored in table is triggered, the TE will create a 
new record in the TR table', this indicates a new suspect intrusion instance arising 
from the triggered rule. 

The TE will terminate the triggered rule when the following condition(s) apply: 

• The triggered rules in TR table will be fully triggered, when all the sensors of that 
rule are triggered. This rule will be deleted after TE reported the intrusion. The 
related waiting sensors in VES table will also be deleted. 

• The triggered rules in TR table will terminate if a sensor sub-program returns the 
„cleanup“ message to TE. This happens when a sensor determines that the current 
triggered rule would not be completed forever. The triggered rule in TR table and 
the related sensors in table will be deleted. 

• For statistical collection rules, the sensor of the rule itself determines to 
terminate. If the threshold is exceeded, the sensor will send messages with action 
„alarm“ to raise an alarm and instruct the TE to terminate the current rule and 
sensors. Otherwise, the sensor will send action „active“ to TE, which instructs 
TE to update the same waiting sensor in VES table and update the corresponding 
triggered rule in TR table. 

• The policy rules will determine the termination by itself. Sensors of policy rule 
will send „alarm“ to the TE to indicate a violation and instruct TE to terminate 
the current rule and sensors. Otherwise it can also determine to „cleanup“ without 
a violation. 

• For the rules to establish behavior profile they will keep alive infinitely; however, 
the variables will change every time the sensor is triggered. And the sensor will 
send „active“ to instruct TE to update the current sensor in WS table and rule in 
TR table. However, they can raise an alarm, when an anomaly is detected. 

• For all of the rules, a time span is defined; if the triggered rules in the TR table 
stay longer than the predefined time span, the TE will terminate that rule and 
related sensors automatically. 

In this way, the sensor population will not grow uncontrollably. In this regard, 
sensors should be created with its termination as part of the design process. 



5 SenIDS Rule Examples 

SenlDS has been developed using Perl on SUN Solaris 2.5. Currently, the security 
related data are collected in audit trail produced by the Solaris Basic Security Module 
(BSM). The system can also be developed using C or C-H- for performance 
consideration. 

An example of a rule for detecting failed authentication attempts within a certain 
time span is discussed here. An alarm will be raised when a user fails in the login 
authentication process when attempts are made more than Y times within Z seconds. 
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Such an authentication failure is defined as entering an invalid username and 
password to a login, rlogin, or su process. This rule is implemented in a sensor 
descriptor (see Table 1). 

In Table 1, Type „statistic“ indicates the sensor is used to collect statistics. Source 
„audit_trail“, pre_select_name „header_event_id“ and pre_select_value „login, 
rlogin, su“ is used to pre-select the sensors to be triggered by the TE. From these 
fields, we can see that just the audit_trail event record, whose value of field 
„header_event_id“ is one of „login“, „rlogin“ or „su“, can trigger the sensor. The 
variable _list items „timel“ and „number“ store the values generated each time the 
sensor is triggered. Function „fail_auth“ is the sub-program name that is used to 
trigger the sensor with the event record. Because this sensor is a single-sensor rule, so 
the pre_sensor_list and post_sensor_list contain no sensor_ids. 

The following program code illustrates the sub-program named „fail_auth“ of the 
sensor. The hash data structure %standard{ } stores the security-related event record 
fed by data collector in standard format. The hash data structure %return_message{ j 
is returned by the sub-program to TE, among which $return_message{actionj will 
send to the TE to instruct TE what to do about the current sensor and related triggered 
rules. $return_message{timel j returns the time when the first failed login happens. 
$return_message{numberj returns the number of failed login within the time span. 

Table 1. Sensor for Detecting Failed Authentication 



Name 


Value 


Type 


statistic 


Source 


audit_trail 


Sensor_id 


15 


Pre_select_name 


header_event_id 


Pre_select_value 


login, rlogin, su 


Variable_list 


timel, number 


Pre_sensor_list 


0 


Post_sensor_list 


0 


Function 


fail_auth 



sub fail_auth 

{ if ( ( $standard{header_event_id} = „AUE_login" or 
$standard{header_event_id} = „AUE_rlogin" or 
$standard{header_event_id} = „AUE_su" ) and 
( $standard{return_error_value} = „INVALID_USER" or 
$standard{return_error_value} = „INVALID_PWD" ) ) 
{if ( $number = „ " ) { 

$number=l ; 

$time=$standard{header_data_time} ; 
$return_mes sage {action} = „create" ; 
$return_message { timel } =$time ; 

$ re turn_mes sage {number } =$number ; 
return \%return_message; } 
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elsif ( $number+l>=F) { 

$return_message {action} =„alarm" ; 

$return_mes sage {alarm} = „Alarm, Failed 

authentication attempts are more then Y 
times " ; 

return \%return_message; } 
elsif ( $standard{header_data_time} -$timel>Z) { 
$return_message (action) = „cleanup" ; 
return \%return_message; } 
else { $return_message {number } =$number+l ; 

$return_mes sage {action} = „active" ; 
return \%return_message ; } 

} 

else { $return_message {action} = „f ail " ; 
return \%return_message; } 

} 

In this example, when an event record comes to the TE, TE will pre-select the 
sensors in the WS table to trigger by comparing the sensor source, pre_select_name 
and pre_select_value with the corresponding field of event record. The sub-program 
of the selected sensor will run by the TE with the event record. 

We assume that this failed-login detecting sensor is selected. The sub-program 
„fail_auth“ will run by the TE. It firstly checks if the event record is the failed „login, 
rlogin, su“. If not, it simply returns the $return_message( action} =„fail“ to TE , 
which indicates that the current event record cannot trigger the sensor; in this case, TE 
just find another candidate sensor in VES table to trigger. Otherwise, „fail_auth“ will 
try to determine if the sensor is triggered for the first time, or the sensor exceeds the 
predefined the maximum number Y, or the sensor exceeds the predefined time span Z. 
For the first-time triggered sensor, „fail_auth“ will send 
$return_message{action}=„create“ to TE; according to the type of the sensor, TE 
will create a new triggered rule in TR table and update the sensor in VE5 table. If the 
sensor is triggered more then Y times, the „fail_auth“ will send 
$return_message{action}=„alarm“ along with the alarm message to TE, which 
instruct TE to raise an alarm and delete the current triggered rule and waiting sensor 
in TR table and Ws table. If the sensor exceeds the time span Z, it will return 
$return_message(action)= „ cleanup" to tell the TE to clean the current triggered rule 
in TR table and all the related waiting sensors in WS table. If the sensor has been 
triggered before but not yet exceeds the number Y, TE just updates the corresponding 
triggered rule in TR table and the waiting sensor in WIS table. 

This is a simple example rule that contains just one sensor. From this example, we 
can see that TE just manages the rules and sensors; it does not care about how to 
process the event record. Much of the work must be done by the sensor sub-program. 
It gives us greater abilities to construct more powerful sensors to detect complex 
intrusion scenarios. The structure of the sensor and the function of TE make it 
possible to integrate the misuse intrusion detection and anomaly intrusion detection 
into a single intrusion detection engine. 
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6 Conclusions and Future Work 

In this paper, we propose the SenlDS system that employs a sensor framework to 
implement and achieve different types of intrusion detection. With these sensors, 
SenlDS can effectively combine misuse intrusion detection and anomaly intrusion 
detection. SenlDS incorporates different kinds of sensors to detect various intrusion 
scenarios. 

The challenge of the SenlDS system will be to design comprehensive sensor 
libraries. Such libraries should incorporate intrusion signatures, security policies, user 
profiles, processes profiles, etc. Well-designed rules that represent user and process 
profiles of the activities will enhance the system abilities to detect unknown intrusion 
scenarios. Various security-related data types, such as application log and network 
packet, will be integrated into our system in the near future. 
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Abstract. Blakley and Borosh introduced a general theory of codes, en- 
compassing cryptographic and error control codes among others. They 
explored the properties of such general codes with methods from relatio- 
nal algebra and set theory. We provide a categorical point of view, which 
leads to new constructions of codes. We also exhibit a Jordan-Holder 
type theorem and a Schreier refinement technique. 



1 Introduction 

In the late twentieth century a vast proliferation of codes occurred. Many new 
cardinalities became common, especially large finite or infinite. Many new arith- 
metics - infinite as well as finite - could be found in the newly introduced 
arithmetic-based codes. Hilbert spaces are as integral to the theory of quantum 
error control as Hamming spaces to classical error control. But many new codes 
arose without arithmetic, amounting to mere codebooks or databases. 

Codes with no encode process, codes with no decode process, codes which 
encode every plaintext symbol into billions of different codetext expressions are 
now famous and widely used, as are codes which decode every codetext expres- 
sion into every plaintext symbol. 

Commerce has made ISSN, ISBN, UPC commonplace. Locks are codes, Pho- 
nebooks are, genomes are, cash register receipts are, codes replace telephone 
wires, tollbooths, signatures. 

This is not metaphorical talk. Every one of these objects is a code in a strict 
mathematical sense. And one realization that emerges from this mathematical 
view of codes is the profound importance of stuctural considerations. Codes have 
shapes, just as molecules have shapes. And the designer of codes has a larger 
repertory of kinds of structures to draw upon than an organic chemist. Moreover, 
these kinds of structures can be usefully described and combined by the methods 
of universal algebra, as adumbrated in [3]. But they also lend themselves to 
treatment by category theory, as will become clearer below. 

After defining and visualizing precodes and codes, we introduce the corre- 
sponding categories in Section 4. We obtain products, limits, and colimits in the 
usual way in Sections 5 and 6, and then give some examples. The subprecodes 
of a precode form a lattice in a natural way. Section 8 discusses some of its 
properties and, in particular, establishes a Jordan-Holder-Schreier theory for it. 
This result suggests a unified view of several cryptanalytic methodologies. We 
conclude with comments on this need for further results. 
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2 Visual Presentation of Precodes and Codes 

The code definition given in the general theory [2] of codes goes as follows. A 
precode is a list (P, C, e, d) whose entries are a set P of plaintext symbols, a 
set C of codetext symbols, an encode relation e C P x C, and a decode relation 
d C C X P. A code is a precode for which the composite relation de C P x P is 
subdiagonal, i.e. contains only pairs of the form (p,p). 

We follow [2] and introduce a graphical representation of precodes and codes 
called a strip chart. The items P, e, C, d, P are represented by five columns of 
marks. The marks in the three ‘symbol’ columns P, C , P are at various heights - 
different heights signifying different elements. The marks in the two ‘relation’ 
columns e, d are undirected line segments treated as if they were arrows going 
from left to right. 

For example the first strip chart below represents the popular notion of a 
code, as a pair e, d of bijections between P and C. The bijection d going from the 
codetext symbols C (the set of open rings in the third column) to the plaintext 
symbols P (the set of blobs in the fifth column) is the inverse of the bijection 
e going from the blobs of P in the first column to the rings of C in the third 
column. Clearly each action of e moves a first-column blob 6 to a third-column 
ring r, and then d takes this ring to a fifth-column blob at the same height as 
the original blob. In other words, de takes each blob to itself. 

It is worth becoming acquainted with the strip charts below. They give a 
weak foreshadowing of the huge variety of codes already in use. And they set the 
stage for the purposeful use of abstract structure to produce novel codes of yet 
widely different structural types which the general theory of codes can supply 
for various information-related investigations or activities. 

In the figure at left, the encode e is a bijection from P to C, the 
decode d is its inverse function, a bijection from C to P. Gray codes, 
key settings of Caesar ciphers, RSA, DES, AES, some commercial 
codebooks and Godel numbering are among the many example of 
this matched-pair-of-bijections type of code. 

The code at left has a decode d which is a function (i. e., many-to-one 
relation) . Its encode e is the converse of d (whence it is a one-to-many 
relation. There are many such codes, including some codebooks with 
homophones, the calculus (in which encode is antidifferention of a 
function and decode is differentiation, secret sharing schemes, and hash function 
codes (hashes are decodes, and their converses are encodes). 

The code at left has an empty encode relation e = 0, and a full decode 
(an all-to-all relation) d. Hence de is empty, so this strip chart does, 
indeed, present a code. The Diffie-Hellman key exchange [6] is often 
a pair of codes of this one-way ‘encodeless’ type. The genetic code is 
similar, but less extreme. Its encode is empty, and its decode is a function. 

• The code at left has an empty decode relation d = 0, and an encode 

• relation e which is a function. Clearly de = 0. The Purdy high secu- 
° , rity login [9] is a code of this one-way ‘decodeless’ type. Other such 

• examples are hash functions when viewed as one-way objects. 
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The code at left has an injective (i.e., one-to-one) encode relation e, 
and a decode relation d which is a function. Many error correcting 
codes are of this type. In particular, the code here is (isomorphic to) 
the triplication code with e(0) = 000, e(l) = 111, and with majority 



The code at left has an injective decode d, and a one-to-many encode 
relation e. It amounts to a variant of the magnetic-strip-card-key 
code, which large hotels use to give guests entry to their rooms. Each 
room is ‘encoded’ as a large set of bit strings, only one of which is 
valid today. A card with this string ‘decodes’ the room door to open today - 
thus revealing the encoded room. Cards with any other bit string don’t open it. 
And tomorrow the decode d may be changed, but the encode e will remain the 
same. But no two rooms can ever be opened by the same card. 




3 Basic Notions 

Let P and C be sets. We will call P the plaintext symbols, and C the codetext 
symbols. Let e be a subset of P x C, called the encoding relation, and d a subset 
of C X P, called the decoding relation. Then IR = (P, C, e, d) is called a precode. 
IR is said to be a code if and only if d o e is a subdiagonal relation on P. 

A precode homomorphism from (P, C, e, d) to (P', C", e', d') is defined by 
a list of functions {h, k,hxk,kxh), where h: P ^ P' and k:C ^ C' are required 
to satisfy {h x k){e) C e' and {k x h){d) C d' . Sometimes we will write {h, k) to 
denote this homomorphism. 

We obtain a category Cp of precodes by taking precodes as objects and 
precode homomorphisms as morphisms. 

The identity functions on the plaintext and the codetext symbols of a pre- 
code !R induce the identity morphism Igj associated to the precode !R. The 
composition of morphisms is given by the composition of functions. The class of 
objects in the category fp is denoted by Obj(*P). The set of morphisms from IR 
to A is denoted by Hom<p(lR,yi) or sometimes simply by IR — >■ dl. 

Let IR = {P,C,e,d) and A = {P' , C' , e' , d') be precodes. IR is said to be a 
subprecode of A if and only if P C P\ C C C' , e C e' , and d Q d' . Notice that 
a subprecode of a code is again a code. 

The subcategory £ of codes of the category tp of precodes is defined in 
the obvious way, taking codes as objects. Note that £ is a full subcategory of 
tp. Indeed, consider a precode homomorphism between two codes 3C and A. The 
image under this homomorphism is a subprecode of A, and hence a subcode. 
Thus the set Homtp(lK,L) of precode morphisms coincides with the set of code 
morphisms Homu;(3C,L). 

The code 3 = (0, 0, 0, 0) is an initial object in the category of precodes, that 
is, there exists exactly one morphism from U to any another object IR in tp. Any 
code T = ({p}, {c}, {(p, c)}, {(c,p)}) with singleton set symbols is a terminal 
object in Cp. The category fp does not have a zero object. 
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4 Morphisms 

We take a closer look at the morphisms of precodes in this section. It turns out 
that the monomorphisms are just the injective functions respecting the encoding 
and decoding relations. We will see that epimorphisms need not be so well- 
behaved. Indeed, neither the category of precodes nor the category of codes is 
balanced, that is, dimorphisms need not be isomorphisms. 

A morphism /: A — >■ “B of precodes A and S is said to be a monomorphism, 
or simply monic, if and only if Jg = fg' implies g = g' for all g, g' G Homqj(lR, A) 
and all 31 G Obj(ip). 

Lemma 1. Let f:tR^Abea morphism of precodes. Then f = (/i, / 2 ) is monic 
if and only if f\ and /2 are injective functions. 

Proof. Suppose that /i and /2 are injective, hence monic, morphisms in the 
category of sets. This immediately implies that / is monic. Conversely, suppose 
that / is monic. Denote by § = ({p}, {c}, 0, 0) a precode with singleton symbol 
sets. Let x and y be (necessarily constant) morphisms from 8 to 31. Since fx = fy 
implies x = y, h follows that fi and /2 are injective. □ 

A morphism /: 31 — >■ A of precodes 31 and A is said to be an epimorphism 
if and only if gf = g' f implies g = g' for all g,g' G Homtp(A, 33) and all 
33 G Obj(*p). 

Lemma 2. Let /: 31 — >■ A &e a morphism of precodes. Then f = (/i, / 2 ) is epic 
if and only if f\ and /2 are surjective functions. 

Proof. Suppose that fi and /2 are surjective functions, hence epimorphisms, in 
the category of sets. This implies that / is an epimorphism. 

Let / be an epimorphism. Seeking a contradiction, we assume that not both 
fi and /2 are surjective. Denote by 2 the two element set {0, 1}. Define the 
precode 3? = (2,2,2 x 2,2 x 2). Let g and h be two distinct morphisms in 
Homq 2 (A, 33) that take the same values on the image of /. It follows from our 
assumption that such morphisms exist. However, since gf = hf implies g = h, 
we get the desired contradiction. □ 

A morphism /: IR — >■ A of precodes 3? and A is called an isomorphism if 
and only if there exists a morphism g: A — >■ 3? such that fg = Iji and gf= laj. 

Lemma 3. Let /: 3? — >■ A be a morphism of precodes. If f = (/i,/ 2 ) is an 
isomorphism then f\ and /2 are bijective functions. 

Proof. An isomorphism is monic and epic, implying that /i and /2 are bijective 
functions. □ 

The evident asymmetry in the statement of this lemma reflects the fact that 
an epimorphism / = (/i,/ 2 ) need not be surjective on the encoding relation 
or decoding relation, even though the functions /i and /2 are surjective. This 
fact has some quizzical consequences. For instance, a monic and epic morphism 
in the category of precodes is not necessarily an isomorphism. To see this, let l 
denote the identity function on 2. Then (t, t) is a monic and epic morphism from 
3R = (2, 2, 0, 0) to A = (2, 2, 2 X 2, 2 X 2). But it is obviously not an isomorphism. 
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5 Limits 

In this section we derive some fairly general constructions of codes and precodes. 
The constructions are based on the categorical notion of a limit. 

Recall that a diagram I? in a category fp is a directed graph whose vertices 
i G I are labelled by objects in and whose edges i ^ j are labelled by 
morphisms in Homq 3 (CRj, The underlying graph is called the scheme of the 
diagram. 

A family of morphisms (ff-A -G with common domain A is said to be 

a cone for D, provided that for each arrow d : Jii ^ IRj in the diagram D, the 
triangle 

A 

fi 

X ^ 3?,- 

® d 

commutes. A limit for I? is a cone for D with the universal property that any 
other cone for D uniquely factors through it. In other words, if {fi'-A — >■ X)i^i 
is the limit of a diagram D and 23 — >■ X)i£i is a cone for D, then there exists 
exists exactly one arrow u: 23 — >■ A such that gt = fi o u for all i G I. 

We want to show that the category ip of precodes and the category € of codes 
are complete. In other words, we need to show that limits exist for all diagrams. 
Fortunately, it is sufficient to prove that products and equalizers exists [1,7]. 

We need to introduce some more notation. Let be a family of relations 

indexed by a set /, where Vi C PixCi. We can define a product of these relations 
by 

n ^ n ^ n I ^ c(i)) g , 

where all products range over the index set I. Sometimes we will denote the 
product of two relations and rj by r* 0 Vj. For example, if ri = {(2, 1), (1, 2)}, 
f ’2 = {(o, b), (a, c)}, then the product relation ri 0 r 2 is given by 

ri 0 T 2 = {((2, a), (1, b)), ((2, a), (1, c)), ((1, a), (2, 6)), ((1, a), (2, c))}. 




Theorem 1. The category of precodes has products. The product of a family 
of codes is again a code. 

Proof Let = {Pi, Ci, e^, di),i G I, be a family of precodes indexed by a set I. 
The product of this family is obtained by taking cartesian products of the symbol 
sets, and the product of the encoding and decoding relations. In other words, 
the product of the family IR^ is given by (IR, {ni'.tR -G where the precode 

3^ is given by the object (Ilje/ Oie/ Hie/ Hie/ the projection 

map TTi is the obvious map onto the tth component. It is clear that IR is a code 
if and only if all X are codes. □ 
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The equalizer (£,m) of two morphisms f ,g:Ji ^ A is an object £ together 
with a morphism u: £ — >■ IR such that fu = gu, with the additional property 
that every morphism h satisfying fh = gh factors uniquely through u. In other 
words, the triangle in the following diagram commutes: 




“B 



Recall that in the category of sets, the equalizer of two functions f,g:R^Ais 
given by the coincidence set {a; G i? | f{x) = g{x)} with the inclusion mapping. 

Theorem 2. The category has equalizers. If (£,u) is the equalizer of two 
morphisms between codes, then £ is also a code. 

Proof. Let Jl = (F,C,e,d) and A be precodes. Let / = {f\,ff) and g = (51,52) 
be a pair of morphisms between IR and A. We give an explicit construction of 
the equalizer. 

The equalizer (£,m) of / and 5 is given by the precode £ = (P*,C*,e*,d*), 
where the plaintext symbols P* = { a G P | /i(a) = 51(a) } and codetext symbols 
C* = {a G C| /2(a) = 52(a) } are just coincidence sets, and the encoding and 
decoding relations are obtained from IR by restriction, that is, e* = e|p»xc*> 
d* = d|c*xP*, and the morphism u = {1-1, 1.2) is induced by the set inclusion 
maps Li'.P* — 1 P, L2~. C* — 1 C. 

The construction ensures that u(£) is the largest subprecode of IR such that 
the restrictions of the functions / and 5 on u(£) coincide, /|„(g) = 5|«(£)- We 
can express ft- by a composition of a morphism e: “B — >■ £ with u, since ft(“B) 
is a subprecode of u(£). The morphism e is uniquely determined, since u is a 
monomorphism. □ 

Theorem 3. The category ip of precodes and the category £ of codes are com- 
plete. 

Proof. The categories fp and £ have products and equalizers and are therefore 
complete [ 1 , 7 ]. The main idea of this standard construction goes as follows. 
Suppose that we are given a diagram P in fp with sets V of vertices and E of 
edges. We build two products: the product of all objects in D, and the product 
indexed by E of all codomains of arrows in D. The universal property of the 
P-indexed product induces unique maps ipi and as is shown in the following 
diagram: 
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The map h is given by the equalizer of ipi and 4)2, and the maps are given 
by composition of h with the projection maps that is, Ci = h. It is not 
difficult to see that (G, (cj)ig/) is a cone of D. It follows from the universality of 
the equalizer and of the F-indexed product that this cone is the limit of D. □ 

6 Colimits 

Reversing arrows, we obtain the concept of cocones and colimits of diagrams. 
We will derive the dual results for precodes. 

Theorem 4. The category of precodes has coproducts. The coproduct of a 
family of codes is again a code. 

Proof. The coproduct (3C, — >■ 3C)ig/) of the family 3?^ is given by the 

disjoint union of the symbol sets and the induced disjoint union of the encoding 
and decoding relations together with the obvious inclusion maps. In other words, 

x= I u X {i}, y Ci X {i}, y Ci (g) A, y d* (g) A 

Vie/ ie/ ie/ ie/ 

where Ai denotes the relation Ai = {(/,/)}. 

It is clear that 3C is a code if and only if all IRi are codes. □ 

Theorem 5. The category has coequalizers. 

Proof. Let 3? and A = {P,C,e,d) be precodes, and let / = (/i,/2) and g = 
{91,92) be a pair of morphisms between 31 and A. Let E\ be the smallest equi- 
valence relation on P such that /i(a) and 91(a) are equivalent. Similarly, let E2 
be the smallest equivalence relation on P such that /2(a) and 92(a) are equiva- 
lent. The coequalizer of / and g is given by the precode (P j Ei,C j E2,ej E^ ® 
E2,d/E2 (g) El) and the morphism (ci,C2) induced by the canonical quotient 
maps Cl'. P — >■ P/Ei and C2: C — >■ C/C2. □ 

Remark 1 . The coequalizer of two codes in the category is not necessarily a 
code. For example, let X = ({1, 2}, {1, 2}, id, id) the code with identity encoding 
and decoding relations. Denote by i and s the two bijective functions from {1,2} 
into itself. Then the coequalizer of the morphisms (z, i ) and {i, s) is the precode 
£ given by 




£ = ({ 1 , 2 }, {[ 1 ]}, 1 ( 1 , [ 1 ]), ( 2 , [ 1 ])}, {([ 1 ], 1 ), ([ 1 ], 2 ) 1 ). 



Theorem 6. The category of precodes is cocomplete. 

Proof. The category has coproducts and coequalizers and is therefore cocom- 
plete. □ 
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7 Examples 

Example 1 (RSA). Denote by p and q two distinct odd primes. A key setting of 
an RSA public key cryptosystem [10] can be seen as a code over the symbol set 
Zi/pqZ, where the encoding relation e is given by the function a; e- >■ mod pg 

and the decoding relation d is given hy x mod pq. The exponents are 

assumed to satisfy the congruence £i5 = 1 mod ip{pq), where p is Euler’s totient 
function. We denote this code by IRSA = {Z/pqZ, Z/pqZ, e, d). 

Reducing the symbol sets modulo p and q respectively, one obtains two key- 
settings of Pohlig-Hellman cryptosystems [8] , denoted by 

TlKi = (Z/gZ, Z/qZ, Cl, di) and lPdf2 = (Z/pZ, Z/pZ, 62, ^2)- 

The encoding and decoding relations are obtained from e and d by reducing 
modulo p and q respectively. For instance, the relation Ci is given by the function 
X I— >■ X® mod q. 

The IRSA code is, in the terminology introduced in the next section, an 
example of a product of the codes TTCi and 1PTC2- 



Example 2 (RSA, eont’d). Conversely, given two Pohlig-Hellman codes 

T!Ki = {ZjqZ, ZjqZ, x mod q,xe^ x^^ mod q) 

TIK2 = (Z/pZ, Z/pZ, X !->■ x®2 mod p, x x^^ mod p) 

and assuming that gcd(p— 1, g— l)|(£i— £2), then it is easy to see that the greatest 
common divisor of p— 1 and q— 1 divides 5i — 52 - The Chinese remainder theorem 
yields the integers £, 5 satisfying 

£ = £1 mod <7 — 1, 5 = (5i mod q — 1, 

£ = £2 mod p — 1, 5 = 82 mod p — 1, 

respectively. The IRSA code 

(Z/pgZ, Z/pqZ, X I— x^ mod pq, x x^ mod pq) 

is then isomorphic to the product of TTCi and J’J{2- 



Example 3 (Unequal Error Protection) . We construct a simple (nonlinear) error 
control code that protects 0 and 1 against one single error, and can detect a 
single error in the transmission of 20 other symbols {2,..., 21}. This code is 
constructed with the help of two smaller codes. 

Denote by F2 the binary finite field. Let C\ be the set of all codewords in 
F® of (Hamming) weight 0, 1, 5, and 6. Let A\ be the code (F2, Ci, ei, di), 
where ei(0) = 000000 and ei(l) = 111111, and the decoding relation d\ maps 
all codewords of weight 0 or 1 to the plaintext symbol 0, and maps all codewords 
of weight 5 or 6 to the plaintext symbol 1. 
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Let C 2 be the set of all codewords in F® of weight 3. The plaintext symbol 
set is given by P 2 = {2,..., 21}. The encoding relation 62 maps the symbols 
2,. . . ,21 to the codewords in C2 in lexical order respectively, and the decoding 
relation is given by the inverse function d ,2 = Then A 2 = (T2, C2, e, e~^). 
The code IR is given by the union of the codes A\ and A2, that is, 

IR = ({0, . . . , 22} , F®, Cl U 62, d\ U ^2) • 

This code is (isomorphic to) the coproduct (as defined in section 6 ) of the codes 
A\ and yi2. 

Example 4 (Codes over p-adic Integers). The famous explanation of the nonli- 
near Kerdoc and Preparata error control codes as linear codes over Z/4Z gave 
rise to other explorations of Hensel lifting in coding theory. In [4], Calderbank 
and Sloane investigated a series of Hamming codes over the symbol sets Z/2"Z. 
The familiar binary [7,4] Hamming code has generator polynomial + x + 
Hensel lifting of this generator polynomial to Z/4Z gives a unique monic ir- 
reducible polynomial that divides — 1 in Z/4Z[a;]. Proceeding further, one 
obtains a series of cyclic codes over Z/8Z, Z/16Z, Z/32Z, etc. The 2-adic lift of 
the binary Hamming code is then the error control code over the ring of 2-adic 



integers with generator matrix 














/I 


A 


A* 


-1 


0 


0 


o\ 






0 


1 


A 


A* 


-1 


0 


0 






0 


0 


1 


A 


A* 


-1 


0 


5 






0 


0 


1 


A 


A* 


-V 




where A is the 2-adic integer (1 


— 


y=7) /2, and A* : 


= A- 


- 1 



The code (Z|,Z2,e, d) corresponding to this Hamming code over the 2-adic 
integers Z2 is a special case of the limit construction of codes described in 
Section 5. 

8 Subprecode Lattice 

The following question was posed in [3]: Does there exist a Jordan-Holder- 
Schreier theory of codes? We give an affirmative answer to this question in this 
section. 

Denote by Lat(lR) the set of subprecodes of a precode Jl. The subprecode 
relation defines a partial order < on Lat(lR), namely, IRi < Jij if and only if 
is a subprecode of IRj . 

Proposition 1 . The partially ordered set Lat(fR) of subprecodes of a precode tR 
is a lattice. In particular, the subcodes of a code form a lattice. 

Proof. Define the join IRiVlRj of two precodes IR^ and Hj by their union fR^VlRi = 
{Pi U Pj,Ci U Cj,€i U 6j,di U dj); and define the meet IR^ A IRj of two precodes 
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iRi and iRj by their intersection A iRj = {Pi fi Pj,Ci Cl Cj,6i Cl Cj,di Cl dj). 
Clearly, IR^ V IRj is the smallest precode containing IR^ and Jlj, and IR^ A IRj is the 
largest subprecode contained in both IR^ and Jlj. Thus, Lat(lR) is indeed a lattice 
with respect to those meet and join operations. The second statement follows 
immediately, since every subprecode of a code is again a code. □ 

Notice that the lattice Lat(lR) is bounded, since all subprecodes of IR satisfy 
0 < < 1, where the bounds 0 and 1 are given by 0 = (0, 0, 0, 0) and 1 = IR. 

The lattice Lat(!R) is distributive, since the distributive laws of the meet and 
join operations 

WA, “B, e G Lat(3^): yi A (!B V 6) = (yi A “B) V (yi A 6), 

vyi, “B, e G Lat(3^): yi V (!B A 6) = (^1 V “B) A (yi V 6), 

follow immediately from the set theoretic union and intersection properties. 
Thus, we can strengthen the statement of Proposition 1 as follows: 

Proposition 2 . The partially ordered set Lat(fR) of subprecodes of a precode !R 
is a hounded distributive lattice. 

A Schreier refinement theorem can be derived for any modular lattice, and thus 
in particular for the distributive lattice Lat(lR). We need to introduce some 
terminology to state this result. Let A and 23 be two precodes in Lat(fR) such 
that A < T>. The subset [A, 23] = {C G Lat(lR) |A < C < 23} is called the 
interval between the precodes A and 23. Two chains in a subprecode lattice 
Lat(lR), 



A = Ao < ... < A™ = “B, (1) 

A = ®o<--.<®n= (2) 

between the same subprecodes A and 23 of IR are said to be isomorphic if and 
only if m = n and there is a permutation tt of 1, . . . ,n such that the inter- 
val [Ai_i,Ai] is lattice-isomorphic to the interval [23,r(i)-i’ Defining the 
precodes Aqi = 23qi = A, and 

Aij = {Ai A 23j) V 23j_i, 23jj = (23^ A Ai) V Ai_i, 

for i = 1, . . . , n and j = 1, . . . , m, we obtain a refinement of chain (1) and (2) by 

A = Aqi < • ■ • < Ami < Ai 2 < • • • < Am 2 < A 13 < • • • Amn = 23, 

A = 23qi < • • • < 23„i < 23 i2 < • • • < 23„2 < ‘^13 < ■ ■ • “dinm = 23, 

respectively. Since the lattice Lat(lR) is modular, these two chains are isomor- 
phic, cf. [5, p. 70]. Therefore, one obtains the following Schreier-type refinement 
proposition for precodes: 

Proposition 3. Any two chains between two precodes in Lat(lR) have isomor- 
phic refinements. 
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As a consequence, we obtain a Jordan-Holder-type proposition: 

Proposition 4. Suppose that the precode tk = {P, C, e, d) has finite symbol sets. 
Then any chain can he refined to a maximal chain and any two maximal chains 
between two given end-points have the same length. 

Unfortunately, this proposition is not as useful as its group theoretic analogue, 
since a maximal chain reflects the size of the precode and not its structure. For 
example, suppose that the cardinalities of P, C, e and d are a, (3, 7 and 5. Then 
all maximal chains are of length a + /3 + 7 + 5. 



9 Conclusions 

A cryptanalyst who breaks a monoalphabetic substitution cipher by uncovering 
successively the plaintext value of various codetext symbols (e.g. by means of 
frequency analysis) does what amounts to forming an increasing sequence of 
subcodes of the cipher under attack. Similarly, an attack on a polyalphabetic 
substitution cipher which recovers one alphabet after another can be viewed 
as discovering homomorphic images of that cipher. It may often make sense 
to approach a cryptanalytic problem as a sequence of breaks of a sequence of 
homomorphic images of, or subobjects of, a code which is a key-setting of a 
cryptosystem. 

The four propositions above form one schema for the first of these two ap- 
proaches, but can involve lengthy maximal chains. A complementary - perhaps 
more incisive - Jordan-Holder-Schreier theory might be obtained by recourse to 
a different partial order on a collection of precodes, such as an order based on 
homomorphic images (or even the strong homomorphic images suggested by the 
three isomorphim theorems in [3]). 

This paper has shown that the general theory of codes introduced in [2,3] 
can be formulated in category-theoretical terms. It has presented constructions 
such as limits, colimits, equalizers, and has showed that special cases are in fact 
already present in existing codes in current use. 
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Abstract. Polynomial Authentication and Signature Scheme (PASS) is a new 
public key authentication and signature scheme proposed by NTRU 
Cryptosystems Inc. It is based on the hard problems related to constrained 
polynomial evaluation. In this paper, we break PASS with the proposed 
parameters. We show how to forge valid authentication transcripts or digital 
signatures in PASS with knowledge of the public key only and without 
knowing any previous authentication transcripts or signatures. 



1 Introduction 

A group of highly efficient public key cryptosystems, including NTRU [1, 2] for 
asymmetrical encryption and PASS [3] for digital authentication and signature, were 
proposed recently by Hoffstein, Pipher, and Silverman from NTRU Cryptosystem, 
Inc. This group of cryptosystems is based on the hard problems of partial evaluation 
of constrained polynomial over polynomial rings. An outstanding feature of the 
proposed cryptosystems is that key generation, encryption/decryption, authentication 
and digital signature operations can be performed highly efficiently. 

NTRU, after its first appearance at Crypto’96, has received a great deal of 
attentions in the cryptographic community. Odlyzko first pointed out the meet-in-the- 
middle attack on NTRU and this was followed hy the lattice attacks on NTRU from 
Coppersmith and Shamir [4] . The reaction attack proposed recently by Hall, Goldberg 
and Schneier [5] also has effect on NTRU. The current suggested parameters for 
NTRU and corresponding security estimates take into account all the above attacks. 
For a discussion on security of NTRU with respect all these attacks, the reader is 
refereed to the NTRU Cryptosystem s homepage (http://www.ntru.com/document 
center.htm). 

The NTRU cryptosystem has also received a lot of attentions from industry. Sony 
Corporation of America has made an investment in NTRU, and Tao Group Ltd of 
Reading, England, signed an agreement with NTRU which will make the 
incorporation of encryption technologies into handheld and consumer devices 
(http://www.ntru.com/pressreleases/). The NTRU public key encryption scheme was 
submitted to IEEE PI 363 group as a potential IEEE public key cryptosystem standard 
(http://grouper.ieee.org/ groups/ 1 3 63/addendum.html). 
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More recently, Hoffstein, Pipher, and Silverman from NTRU Cryptosystem Inc 
proposed PASS, a public key cryptosystem for authentication and digital signature 
[3]. Like NTRU, PASS features extremely light computational requirements for both 
the prover and the verifier. The hard problem underlying the security of PASS is 
related to properties of short polynomials. Since short polynomials can be made to 
correspond to short vectors in a lattice, it is important to carefully consider the 
possibility of attack by lattice reduction methods in the design of PASS. The authors 
of PASS were well aware of lattice reduction methods such as the LLL [6] and the 
improved LLL lattice reduction methods [7, 8] and they designed PASS to be secure 
against these attacks. 

In this paper, we present the cryptanalysis of PASS. We show that PASS with the 
proposed parameters is not sound, i. e., it is easy to forge one’s authentication 
transcripts or signatures knowing only the public key and without any knowledge of 
the private key or any previous authentication transcripts or signatures. The amount of 
computation required to launch the attacks is small enough to be carried out very 
comfortably on a PC. 

This paper is organized as follows. Section 2 presents the PASS authentication and 
signature scheme. Two attacks to PASS authentication and signature schemes are 
given in Section 3 and Section 4, respectively. Section 5 concludes the paper. 



2 Description of PASS 

Define a ring of truncated polynomials as 

R = (Z/^Z)W/(x"-l) (1) 

where (jr is a prime number and A is a divisor of q — \. A typical element g of R 
is denoted as a polynomial or a vector 



g = g«+glX+ +■■■ + =[gogigz--- gN-l ] 

where g^eZIqZ. The value of g{a) is computed as g(or) mod (jr for every 
ae Z! qZ . The norm of g is a real number given by 

V 2 , 2 , 2 , ,2 

+ Tj + r, + • • • + , 

where 

^ \ gi if gi<q!'^ 

[q-gi if g,>qi'^ 

A polynomial is called short if its norm is small. Since multiplication in R is 
mod - 1 , it is equivalent to a cyclic convolution product. For example, the product 
of / and g is given by 

h = f-g with h,= ^fgj. 

i+ j=k modN 
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Since the multiplication of h = f ■ g is mod x" - 1 , it follows that 

h(a) = f (a) ■ g (a) mod q 
for every a satisfying a'^ = I mod q . 

A set S' of f distinct non-zero elements ae Z! qZ is chosen as a system wide 
parameter. Each element or of S is chosen such that a'^ =\ mod q and or ' e S . 
Also public are four subsets of R , denoted as and , respectively, and 

defined as follows. Fix a positive integer < N 12 . Define to be the set of all 
polynomials f in R such that / has coefficients equal to each of 1 and - 1 , with 

all other coefficients equal to 0. The norm of / is thus .^2df . And and are 
defined similarly using d^ and d^. . is defined as the set of polynomials h in R 
satisfying | h \< y^q for a specified y^ . 

PASS is based on the fact that the product of two extremely short polynomials is 
still a short polynomial. 

2.1 PASS Authentication Scheme 

Alice, the prover, has a private key consisting of two polynomials / and f' that are 
chosen randomly from . Her public key is the values of f{a) and f'{a) for all 
ae S , where S is the public system parameter given above. To prove to Bob, the 
verifier, that she possesses the secret key / , f' associated to her public key, Alice 
proceeds as follows: 

• Alice randomly chooses g, g' from and reveals the values of g(a) 
and g'(a) for all ae S . This is Alice’s commitment. 

• Bob randomly chooses a challenge c„ and sends c„ to Alice. c„ is 
hashed with the commitment to produce polynomials: Cj , C 2 , Cj , g L^. 

• Alice reveals the polynomial h = c^fg + c^fg' + c^f'g + c^f'g' . 

• Bob verifies that 

1) he L, (i.e.,\h\<y^q) 

2) h(a) = c,(a)f(a)g(a) + c,(a)f(a)g'(a) + 

c,(a)f'(a)g(a) + c,(a)f'(a)g'(a) 
for all the ae S . 
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2.2 PASS Signature Scheme 

The private key and the public key in the signature scheme are the same as that in the 
authentication scheme. Alice, the signer, is to sign a message M with her private 
key. She proceeds as follows: 

• Alice randomly chooses the polynomials g, g'from and computes g{S) 

(i. e., { gia)\ae S }) and g'(S) . 

• Alice hashes M with g(S) and g'(S) to construct polynomials: 

Cj , Cj , Cj , C4 G L^. 

• Alice computes h as 

h = cjg + cjg'+cj'g + cjg' 

• The signature is (g(S), g'(S), h) . 

• The verification process in the signature scheme is the same as that in the 
authentication scheme, except that c^,c^,c^,c^e are generated from g{S), 
g'iS), and M instead of the challenge. 

2.3 A Specific Example of PASS 

The following parameters are suggested for PASS in [3]: 

q = lb9, N = 16S, f = A/2 = 384 
df = 256, = 256, d^ =1, 7 , = 2.2 

where N is simply chosen as ^-1. It is estimated in [3] that PASS with such 

suggested parameters would be more secure than 1024 bit RSA since it takes longer 
time to recover the PASS private key. Unfortunately, as we will demonstrate in the 
remaining part of the paper that PASS with these parameters is extremely weak and 
can be broken with small amount of computations. 



3 Cryptanalysis of the PASS Authentication Scheme 

It was conjectured in [3] that for large N and t slightly larger than N /2, PASS 
would be sound. However, such conjecture is not true. We will present an attack in 
this section to forge the authentication transcript independent of the sizes of N and 
t . 

In PASS, recovering the private key / and f' from the public key is expected to 
be difficult. Moreover, for polynomials / and f' chosen randomly from , given 
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/(or) and f'(a) for all ore 5 , it is difficult to find short polynomials (with small 
norms) and f' to satisfy f^(a) = f(a) and f'(a) = f'(a) for all aeS. 
However, we notice that in order to satisfy 

h(a) = c,(a)f(a)g(a) + c,(a)f(a)g'(a) + c,(a)f'(a)g(a) + c,(a)f'(a)g'(a) 

for all OTG^Ci-e., the second condition verified by the verifier Bob), it is not 
necessary for /_, and f' to satisfy f^(a) = f(a) and f'{cc) = f'(cc) for all aeS. 
The reason is that if g(a) = g'(a) = 0 for a particular asS, then f^{oc) and 
f'^{cc) can be set to any arbitrary values at that a . If we can construct short 
polynomials g and g' such that g(a) = g'(ot) = 0 for most of the ae S , then the 
short polynomials and f' only need to satisfy f^(a) = f(a) and f'(a) = f'(a) 
for a few ae S and they can be constructed easily. In the following, we show how 
to generate the short polynomials g and g' with g(a) = g'(a) = 0 for most of the 
ae S . 

Theorem 1. Let R be the ring defined in (1), q be a prime number, N = q — \ and 
p be a divisor of N . If g g 7? and the coefficients of g are with period p , i.e.. 
Si = ,?(,+tp)modw for ^riy value of k , then there are at most p non-zero elements of 
ZtZq satisfying g(a)z^0. 

Proof: The polynomial g with period p can be denoted as 

six) = (g„ + g^x+ g^ -h • • • -h g^_X^'){\ + X" +x"'’ + ■■■ + x""‘ ) . 

For (x’’ - 1) mod p 0 , g(x) can be written as 

— 1 

g(-r) = (.go + SiX + g^x" + • • • + g,_X ^' ) — — ■ 

-1 

Note that or" -1 = Omod ^ , thus the necessary condition for g(a)7^0 is that 
or'’ -l^Omodg . Since there are at most p distinct solutions in ZIZq for 
or'’ -1 = 0 mod^, there are at most p non-zero elements in ZIZq satisfying 
g(or) 0 . 

According to theorem 1, the short polynomials g and g' with g(a) = g'(a) = 0 
for most of the ae S can be constructed easily if N has small factors. We simply 
choose their coefficients from the set {-1,0,1 } to generate short polynomials and 

with short period. Since the proposed value of N is 768 = 3x2* , there are a number 
of small factors of N for g and g' to be constructed easily. For example, if we set 
the coefficients of short polynomials g and g' with period 6, then most likely there 
will be about (768-6)/2 = 381 values of aeS with g{a) = g'(a) = 0 since the 
elements of S are chosen in [3] without being aware of this attack. 
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After obtaining the desired short polynomials g and g' , we then proceed to 
construct the short polynomials and f' . Denote as the subset of S containing 
all those aeS with g(a) = g'(a) = Q and denote S 2 = S-S^. Now, short 
polynomials and f' are only required to satisfy f^(a) = f(a) and f'{a) = f'(a) 
for all ae ■ The construction of and f' becomes much easier especially when 
the number of elements in is sufficiently small. For example, if there are only 3 
elements in , even an exhaustive search (by randomly choosing the coefficients 
from the set {-1, 0, 1 }) can be applied to determine the short polynomials /_, and f' 

since only about 769^ = 2^* * trials are needed in this scenario. It should be noted that 
such computations are done prior to the authentication process. With the four short 
polynomials g , g' , /_, and //, valid authentication transcripts can be produced. This 
attack is valid as long as N has many small factors, like 768, regardless of the size of 
the challenge. 

To summarize the result in this section, the PASS authentication scheme with the 
proposed parameters is not secure, i.e. it is not sound. A cheater, who knows only 
Alice’s public key, can produce valid authentication transcripts on Alice’s behalf 
easily without knowing Alice’s private key. The amount of computation required is 
small and no previous authentication transcripts are needed in the attack. 



4 Cryptanalysis of the PASS Signature Scheme 

The attack described in Section 3 can be applied directly to break the PASS signature 
scheme. 

The attack in Section 3 depends essentially on the fact that N = 768 has small 
factors. It is thus necessary to choose A as a prime number instead of q-l. In this 
section, another attack is applied to the PASS signature scheme even if N is chosen 
as a prime number. In this attack, the small space of would enable signatures 
being forged easily. 

We notice that the h can be written as 

h = cjg+cjg' + cjg+ cj'g' 

= c^{f + rj')g+c^{f + rj')g' 

= Cj/Zj + cjl^ 

where c^=c^-r^, c^=c^-r^, h^={f + rj')g and h^ = {f + rj')g' . We could 
specify two polynomials z; and (the simplest way is to set r^ = r^=l). We then 
choose arbitrarily two short polynomials and . Another two polynomials g and 
g' are computed to satisfy h^(a) = (f(a) + r^(a)f'(a))g(a) and h^{a) = 
(f(a) + r^(a)f'(a))g'(a) for all the ae S . Here g and g' are not required to be 
short polynomials. After obtaining g and g' , we compute c^,C 2 ,c, and q. If 
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Cj = Cj • Tj and with the pre-specified polynomials and , we forged 

successfully a signature (gC^), g'(S), h) in which 

h = Cj/Zj + cji^ 

The probability of success of one trial is about 1/|L^ p. Repeat this attack by 
choosing different polynomials and \ , the signature could finally be forged with 
about 0.5x I p trials, which is about 2 ” ^ for N = 768 and d^= \ . 

The detailed attack is given in the rest of this section. Let / and f' be Alice’s 
private key and f{a) and f'ifii) be the corresponding public key for all ae S = 
{ Cfj , Cfj , . . a,}. The attack is as follows. 

1 . Arbitrarily choose z ; , g R such that for any ce L^, r ce L^. 

2. Compute = /(a,.) + (a.. )/’(«..) and /?„.=/(«.) + (a.. )/’(«,.) for 
i = 1,2, . . ., f. Assume that 0, ^0 for all / = 1, 2, . . ., f (we will 
deal with the case when some of them are 0 later). 

3. Let L|, Cj be two functions such that for i = 1, 

2, t. Choose two arbitrary short polynomials h^. Compute the 
polynomials G^,G^ satisfying = Ffi^ on S . 

4. Hash message M with GpS),GpS) to generate Cj,C 2 ,C 3 andQ . If the 

generated c^,c^,c^ andc^ happen to satisfy andc^ = , we set 

h = cji^ + cji^ and g = Gj , g’=G^ ■ Otherwise, go to step 3 and repeat 
the attack. 

5. (h, g(S), g’(S)) is a valid signature of M. 

In step 4, we note that the generated Cj,c^,c, andQ satisfy C 3 = andc^ = qq with 
probability 1/| p . That is the success rate for one trial. 

In this attack, step 1 and step 4 can be carried out easily as shown in the Theorem 2 
and 3 in the Appendix, respectively. 

In step 2 we assume that /?j_, 0, 0 for all i = 1,2,..., t . Such assumption is, 

however, not always true. In the following, we improve the attack so that it works 
even if up to four elements of {/Jj. j i = l, 2 ,...,t} and four elements of 

{/? 2 , I i = 1,2,..., t} are zero. We start with the following two facts. 

Fact 1. Let q,c^ep. If each of l\, has A-4 small coefficients and four 
arbitrary coefficients, h = cji^ + \ is with norm | h \< 2.2q . 

It is because that 

1 ) h has A -16 small coefficients and 16 arbitrary coefficients; 
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2) For the small coefficients, the sum of is less than 0.8^^ if K < . This 

is fulfilled if each of the small coefficients of !\,h^ is smaller than 0.2^ . 

3) From the definition of norm in Section 2, 1 4 for any h. . 

A^-1 

4) Thus < 4q^ +0.8q^ . It implies \h\<2.2q-, 

i=0 



Fact 2. Let FeR and F(a) = 0 for up to 4 aeS <^Z/qZ-{0] . Based on 
Theorem 4 in the Appendix, it is easy to construct a Ge R , such that FI {FI = FG) 
has N -4 arbitrarily small coefficients. 

With Fact 1 and Fact 2, our attack can be applied in the situation where up to four 
elements of {/Jj. | i = l,2,...,f} and four elements of = \,2,...,t] are zero. For 

N = 768 and t = N/2, the probability that more than four elements of 
{/?j, I i = 1,2,..., t} or more than four elements of {/J^. | i = 1,2,..., f} are 0 is only about 

2 . So the improved attack would succeed without being significantly affected by 
the values of /?,. and . 

Similar attack could be applied to the PASS authentication scheme. The valid 
authentication transcript can be generated with probability 1 / | p . This value is 

about 2 for the proposed parameters. The PASS authentication scheme with the 
proposed parameters is thus not secure with respect to this attack. 



5 Conclusion 

PASS is a highly efficient public key authentication and signature scheme that was 
designed to resist LLL lattice reduction method and the improved LLL method. The 
authors of PASS estimated that the breaking time for the proposed parameter 
N = 768 is approximately 4.73x10'* MIP-years [3]. In this paper we showed that the 
above claim is false and that PASS with the proposed parameter is not sound. That is, 
one can forge authentication transcripts or signatures without recovering the private 
key and with small amount of computations. 

We presented two attacks to PASS. Both attacks apply to the PASS authentication 
scheme and the PASS signature scheme, though we only demonstrated the first attack 
to the PASS authentication scheme in Section 3 and the second attack to the PASS 
signature scheme in Section 4. The first attack succeeded in forging authentication 
transcripts (or signatures) by exploiting the fact that the proposed parameter N = 768 
has small factors. To resist this attack, we suggest choosing A as a prime number. 
However, a prime N can not resist the second attack presented in Section 4, which 
succeeded in breaking PASS using the fact that the space is too small. 
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Enlarging q is not an effective counter measure against our second attack since q 

must be very large in order to give PASS a reasonable security. In that case, its 
computational efficiency will degrade significantly. Modifications may be applied to 
other parameters of PASS such as d^,d^,d^ , etc; however, their security implications 

must be considered very carefully since the corresponding 7 ^ must he changed in that 
case. And is a key factor for the security of PASS under other attacks such as 
LLL attack. 

Generally, we believe that any further modification to PASS should take the 
attacks presented in this paper into consideration. 
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Appendix 

Theorem 2. There exists a polynomial re R = {Z ! qZ){x\ - 1) such that for any 
ce the product r ceL^ . 

Proof: The validity of this theorem is trivial by noting that x' fulfills the requirement 
for any i. 

Theorem 3. Let F e R and F{a) aO for aeS <^Z I qZ-{0}. For any H e R,itis 
easy to construct a Ge R , such that F(a)G(a) = H(a) for all aeS . 
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Proof: Given H , the values of H{a) for all non- zero ae S can be computed. 
Define G(a) = H (a) / F (a) for aeS and arbitrarily set G(a) for ae 
Z/ qZ-{Q}~ S . The coefficients of G can be computed directly since 
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Lemma l.The rank of F equals to the amount of ae Z / qZ -[0} satisfying F(a) ^ 0. 
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Consider all the E satisfying FE = 0. All these E (their coefficient vectors) consist of 
a linear space. It is the null space of F. Every such E must satisfy £'(a)=0 for those a 
such that E{a)^. By counting the number of such E we reach Lemma 1. 



Theorem 4. Let Fe R and F(a) = 0 for exactly k ctGZ/gZ-{0}. It is easy to 
construct a Ge R so that the polynomial FI = FG is with N -k arbitrarily small 
coefficients. 
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Proof. From Lemma 1 the rank of F is N -k . There are k linear independent rows 
in F. Without loss of generality, assume that the first N-k rows are linear 
independent. Arbitrarily set the last N-k coefficients of H as small numbers 
. Solve G from 
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Abstract. A major problem of mobile agents is their apparent inability to 
authenticate transactions in hostile environments. In this paper, we consider a 
framework for the prevention of agent tampering without compromising the 
mobility or autonomy of the agent. Our approach uses encrypted functions. We 
present an RSA implementation which answers affirmatively the open problem 
on undetachable signatures of Sander and Tschudin. 



1 Introduction 

Traditional software programs use primarily the Remote Procedure Call (RPC) for 
remote applications, which is performed in accordance with the client - server archi- 
tecture. The principle of Remote Programming (RP) forms an alternative to RPC. In 
the RP approach, the client object, instead of exchanging request and reply messages 
remotely, is itself transferred to the server and is executed locally. The mobile agent 
paradigm constitutes a way of implementing Remote Programming. 

Mobile agents are autonomous software entities that are able to migrate across dif- 
ferent execution environments. Mobility and autonomy make permanent connections 
unnecessary; thus mobile agents are suitable for providing low-bandwidth connections 
and asynchronous communication [1,2,9,21]. Furthermore, they provide better support 
for heterogeneous environments. 

The characteristics of mobile agents make them ideal for electronic commerce ap- 
plications in open networks. A mobile agent can search for special products or serv- 
ices and negotiate on behalf of its owner with other entities. Furthermore, mobile 
agents can be used as selling agents. However, mobile agents are vulnerable to several 
attacks and in particular to attacks by malicious hosts. Until quite recently there was a 
general belief that mobile agent vulnerability could be prevented only with hardware 
solutions. Chess et al state [2]: "It is impossible to prevent agent tampering unless 
trusted (and tamper-resistant) hardware is available... Without such hardware, a mali- 
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cious [host] can always modify/manipulate the agent". This belief however has been 
shown to be misleading and is referred to „the Chess paradox‘s in the literature [15]. 

Jakobsson and fuels propose executable code (X-cash) which binds the user to a 
payment transaction [8]. The user links the executable code co with a so-called nego- 
tiatable certificate that warrants a restricted purchase. This protocol is practical but not 
very flexible, in the sense that it requires the issuing of a large number of negotiatable 
certificates for certain purchases. 

Sander and Tschudin [15] propose the use of encrypted functions. The user en- 
crypts a function s, which is then executed by the host, without the host having access 
to s. Although the approach is very promising, no secure implementation has been 
proposed as yet. Our approach is also based on encrypted functions but is provable 
secure. 

Organization of the Paper. In Section 2 we review the security issues of mobile 
agents. In Section 3 we discuss the requirements for secure computations with 
encrypted functions and review undetachable signatures. In Section 4 we consider a 
realization of an undetachable RSA signature scheme which allows a mobile agent to 
conduct a transaction inside a hostile host without being abused. This realization is 
provably secure and answers affirmatively the open problem of Sander and Tschudin 
on undetachable signatures [15]. We conclude in Section 5. 



2 An Overview of the Security Issues for Mobile Agents 

Although the mobile agent paradigm extends the capabilities of traditional ways of 
remote communication and distributed computing, it also raises new security issues 
[3]. These are generally divided into two broad areas: i) protecting the host from mali- 
cious agents, and ii) protecting the agent from hostile hosts. 

Protecting the host from attacks by malicious agents is possible by using effective 
access control and sandbox mechanisms (e.g. lava’s sandbox security component). A 
more challenging problem is to protect an agent from being abused by a hostile server. 
During the execution of a mobile agent, the agent is in a very asymmetric relation with 
regards to the server, since the server must be able to access the agent’s code, data and 
state, in order to execute it. It is not clear how private information (such as a secret 
key) can be used by an agent, without revealing it to its executing environment. A 
hostile host could easily appropriate the secret key when the agent attempts to use it. It 
is believed that this is a very hard problem to solve [1]. For example, Yi et al [20] 
state: "Current consensus is that it is computationally impossible to protect mobile 
agents from malicious hosts. Instead of tackling the problem from a computational 
(difficult) point of view, current research is looking at sociological means of enforcing 
good host behavior". 

Research efforts for solving the problem of hostile hosts are broadly divided into 
two main categories [15,17]: 

• Detection of agent tampering. 
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This category includes solutions that aim to detect agent tampering a posteriori, 
trace the identity of the illegitimate host and prove its misbehavior. Vigna [6] intro- 
duced a tracing mechanism, which records the execution of the agent and its interac- 
tion with the execution environment. The tracing mechanism will reveal the malicious 
host. Yi et al proposed the use of an Agent Service Center [20], which traces the itin- 
erary of the agent. Kotzanikolaou et al [9] use a multi-agent system that can trace 
which mobile agents were victims of malicious behavior. 

These systems may provide partial solutions to particular problems. However, there 
are cases where a posteriori detection is not sufficient. 

• Prevention of agent tampering 

The philosophy of this approach is to prevent agent tampering a priori. There are 
two cases to be considered: passive and active prevention. Passive prevention mecha- 
nisms protect the agents by using organizational or architectural solutions. Farmer et 
al [5] propose a scheme where mobile agents are only able to circulate in trusted exe- 
cution environments. Merwe and Sholms [12] introduce a trade agent system where 
the agents are implemented with distributed objects that communicate remotely. Some 
detection mechanisms also use passive prevention techniques, e.g. [9,20]. 

These approaches either make strong assumptions on the trustworthiness of a host 
[5], or compromise many of the advantages of mobile agents such as autonomy [9,20] 
and migration [12]. 

Active prevention focuses on the development of solutions that provide an agent 
with protection from attacks of hostile hosts, without compromising the advantages of 
the mobile agent paradigm. These may use secure hardware devices, e.g. [13,18]. 
However, their deployment is low, mainly because of the high costs involved. The 
exploration of active prevention mechanisms that are software-based, is a recent field 
of research. Fig. 1 shows the security issues related to the mobile agent paradigm. 




A first approach for software-based active prevention of agent tampering is the use 
of obfuscation techniques or scrambling and mess-up algorithms, as proposed by Hohl 
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[6]. This approach could be useful in certain occasions where an agent carries time- 
limited token-data. However, the security of this method cannot be proven. 

In [11] it is proposed a method which allows Alice to send mobile code in an un- 
trusted host (Bob) and evaluate an encrypted Boolean function, while maintaining the 
confidentiality of the function. The security of the scheme is reduced to the security of 
the McEliece public key cryptosystem. Unfortunately, under this scheme it is not 
possible for anyone except Alice to decrypt the result, because Alice’s private key is 
involved in the decryption process. 

Sander and Tschudin [15] use a technique called Computing with Encrypted Func- 
tions (CEE). The host executes an encrypted function s o f where / is the encrypting 
function, without having access to the function s. The security of the method relies on 
the difficulty of decomposing the encrypted function. Because the spirit of mobile 
agents is to perform computations in a mostly autonomous way, the authors in [15] 
explore the requirements for deploying non-interactive CEE. A candidate class of 
functions, which can be used for non-interactive CEE consists of the multivariate 
rational functions. 

The authors in [15] observe that it would be useful to employ algebraic homomor- 
phic functions in the CEE approach. Unfortunately, so far there are no known provably 
secure algebraic homomorphic encryption functions [15]. So the problem of preven- 
tion of agent tampering in hostile environments remains open. 



3 Encrypting a Signature Function 

Undetachable signatures were proposed by Sander and Tschudin and are based on 
non-interactive CEE [15]. 

Suppose that a Customer wishes to send a mobile Agent to purchase some goods 
from an electronic shop over the Internet. The Agent can autonomously authenticate 
the transaction only if it is able to use a signature function s of the Customer. How- 
ever, the Agent is executed by a potentially hostile Server. To protect the signature 
function s, the Customer encrypts it with a function /to obtain 

(1) 

and gives the pair of functions (/(.), 4„/.)) to the Agent, as part of its executable 
code. On migration the Server executes the pair (/(.), 4„,/.)) on input x to obtain the 
undetachable signature pair 

fix) = m and f^^^^ix) = s if {x)) = s (m). 

The pair of functions (/(.), 44-)) enables the Agent to create signatures of the 
Customer on messages of the Server, without revealing the signature function s (the 
secret key of s) to the latter. The input x of the Server is linked to the Server’s bid. The 
parameters of function / are such that the output of / includes the Customer’s con- 
straints. Thus, m =f (x) links the constraints of the Customer to the bid of the Server. 
This is certified by (x) = s (m) which employs the signature function s of the 
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Customer. The Server cannot use the pair if, to sign arbitrary messages, because 
the function / is linked to the constraints of the Customer. These constraints may in- 
clude detailed description of the required product, the maximum acceptable price, 
time-stamps and other requirements of the Customer. 



Requirements for Secure Undetachable Signatures 

• It must be feasible for the Agent to execute the encrypted function (1) (in polyno- 
mial time) on the input x of the Server. 

• The pair of functions / and s must be such that it is hard to get s by decomposing 
the encrypted function (1). 

In the following section we give an implementation of undetachable signatures 
with RSA [14] signatures. 



4 A Secure Solution for the Sander - Tschudin Open Problem on 
Undetachable Signatures 

For a realization of undetachable signatures, the authors in [15] proposed among oth- 
ers, the use of birational functions as introduced by Shamir [16]. However, the 
schemes resulting from these constructions are insecure [15] and subject to the Cop- 
persmith, Stern and Vaudenay attack [4]. The existence of a secure undetachable 
signature scheme remains an open problem [7,15]. 

Below we will describe a non-interactive CEF undetachable signature scheme, 
which uses exponential functions as encrypting functions instead of birational func- 
tions and is provably secure. Our protocol is based on the RSA cryptosystem. 



A Protocol for Secure Transactions with Mobile Agents 

Setting. We use an RSA setting. Each Customer selects a modulus n which is the 
product of two large primes p, q and a number e, 1 < e <(p(n) = (p - 1)(^ - 1), such that 
gcd(e, (pin)) = 1. Let d be such that 1 < < (pin) = ip - l)(g - 1) and de = I mod (pin), 

and let hash be an appropriate hash function ie.g. MD5). 

Let C be an identifier for the Customer, reqjC the constraints of the Customer and 
h = hashiC, req_C) a binary string whose value is bounded by n. The constraints 
reqjC define the requirements of the Customer for a specific purchase. These may 
include the description of a desired product, the maximum price that is acceptable by 
the Customer and a deadline for the delivery of the product. Furthermore, it may con- 
tain an expiration date and a timestamp. Furthermore, let S be an identifier for the 
Server and bid_S the bid of the Server, whose structure is analog to reqjC. 
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Preparing the Agent. The Customer gives to the Agent as part of its executable code 
the undetachable signature function pair 

/(.) = A*’ modn 

and 

liuneA-) = k''’modn 

where k = h‘‘ modn is the Customer’s RSA signature of h. Observe that is the 
encryption s of of the RSA signature function i (.) = (,)‘^ modn of the Customer, that 
is: 

= * off) = s (/(.))= ^ 4’)= 4-y = (h“f = k^-\ 

The Agent then migrates to the Server with the pair of functions (/(.), 
part of its code and with (C, reqjC) as part of its data. 

Executing the Agent. The Server executes the Agent on input x = hash(5', C, bid_S) to 
obtain the RSA signature (m, z), with 

m =f(x) = h’ modn and 

Z = = k’ modn = (Jif modn = modn = mt modn = s (m). 



Parameters 


Inputs 


d: Customer’s secret key 




n, e\ Customer’s public key 

req_C: The Customer’s requirements (constraints) 


bid_S: The Server's bid 




Fig. 2. A secure undetachable signature scheme based on RSA and exponential functions 

In this protocol, the Agent is given the certified requirements of the Customer (h, 
k), where = ^‘’mot/n.The Server modifies these by including the 
bid, bid_S in the input x, in such a way so as to get an undetachable signature (m, z) 
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for the transaction, where m = f{x) and z (x). This serves as a certificate which 

is authenticated by the Customer (z = rn modn). The certified constraints of the Cus- 
tomer, reqjC, and the bid of the Server, bid_S restrict the scope of the certificate (m, 
z) to "optimal bid" transactions with appropriate time-limits (or more generally, to 
whatever requirements the Customer and the Server stipulate). The protocol is illus- 
trated in Fig. 2. Note that even if a Server ignores the Customer’s constraints req_C and 
executes the Agent (functions (f, in order to produce an undetachable signature 

of the Customer for a bogus bid, the signature will be invalid. If a Server is not willing 
to bid for a purchase, then it forwards the Agent to an other Server. 

Proposition. The undetachable signature scheme described above is as secure the 
RSA cryptosystem. 

Proof. A hostile Server must successfully forge (with non-negligible probability) a 
new valid undetachable signature (h, k) for a transaction (x, m, z), given a history of 
earlier valid transactions. Note that the certificate (h, k) is an integral part of the 
transaction. Clearly, there is no problem constructing (x m, z) for a given (h, k). The 
problem for a malicious Server is to construct a new RSA signature (h’, k’) of the 
Customer which will include modified constraints reqjC’ of the Customer. If this is 
possible, then one can also break the RSA signature scheme. 

Main Features of the Scheme: 

• Efficiency: The RSA implementation of our scheme involves only three exponen- 
tiations. 

• The Server is able to bind the Customer to the transaction via an undetachable sig- 
nature, which links the constraints of the Customer req_C and the bid of the Server 
bid_S. 

• A malicious Server can produce a signature sim*) of a message m* that includes a 
bogus bid bid_S (non-compatible with req_C), but such a signature will be invalid. 

• This protocol is asymmetric. The Server is not committed to the transaction, 
whereas the Customer is. The protocol is therefore subject to impersonation attacks 
on the Server. For symmetry the Customer may request that the Server sign the 
transaction to bind itself to the bid. In this application this is of little concern, be- 
cause bogus bids bid_S will be discarded by the Customer. However, for applica- 
tions in which the bid R_S must be authenticated, the Server is required to sign R_S. 

• In the protocol described above there is no privacy. Exchanged data can be read by 
any eavesdropper. To achieve privacy, the Customer must encrypt the code and the 
data of the Agent with the public encryption key of the Server and the Server must 
encrypt the result of the Agent’s execution with the public encryption key of the 
Customer. 
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• In order to avoid the possibility that an Agent binds the Customer to more than one 
valid bid of several Servers for a single purchase, a priority policy among bids must 
be set. In a simple solution, the Agent terminates when it finds the first acceptable 
bid. In case of dispute, time-stamps can be used and the Server that provides the 
oldest valid undetachable signature of the Customer is the winner. More sophisti- 
cated solutions could be constructed with the involvement of an Agent Broker. In 
such a scheme, the Agent Broker could act as a middleware between Customers 
and Servers of electronic shops and help in the achievement of optimal contracts. 



5 Conclusion 

Current research on software-based active prevention contradicts the general belief 
that mobile code vulnerability could be actively prevented only with hardware-based 
solutions. In this paper we prove that it is possible for mobile agents to conduct private 
and binding transactions in a hostile environment, by using cryptographic primitives. 

We present a solution to the hostile host problem based on the RSA signature 
scheme, which is provably secure. This answers positively the Sander - Tschudin 
problem of undetachable signatures. Our basic scheme is asymmetric and does not 
bind the Server to the transaction. For a symmetric scheme we require that the Server 
also authenticate the transaction. 
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Abstract. Multisignature scheme realizes that plural users generate the 
signature on a message, and that the signature is verified. Various stu- 
dies on multisignature have been proposed([4,13,ll,8,l]). They are clas- 
sified into two types: RSA([9])-based multisignature([4,8]), and discrete 
logarithm problem(DLP) based multisignature([13,ll,l]), all of which as- 
sume that a message is fixed beforehand. In a sense, these protocols do 
not have a feature of message flexibility. Furthermore all schemes which 
satisfy with order verifiability designate order of signers beforehand [13, 
1]. Therefore these protocols have a feature of order verifiability but not 
order flexibility. 

For a practical purpose of circulating messages soundly through Internet, 
a multisignature scheme with message flexibility, order flexibility and or- 
der verifiability should be required. However, unfortunately, all previous 
multisignature do not realize these features. In this paper, we propose a 
multisignature scheme with flexibility and verifiability. We also present 
two practical schemes based on DLP based message recover signature([7]) 
and RSA signature ([4]), respectively. 



1 Introduction 

In proportion as the spread of personal computers and network, messages like 
documents, data, software, etc., have been circulated through Internet. In such 
environment, an entity sends/forwards an original message to others, or sends a 
modified message to others. Through the process of circulation, a message has 
been improved or added a convenient feature one by one, and finally has been 
completed. However recently it has been a new problem for computer virus to 
be mixed into a message through the process of this circulation. Apparently it 
is an obstacle to circulate messages soundly through Internet. Another problem 
concerns the copyright: it is necessary to distinguish an original author from 
authors who modify an original message in a circulating message. This is why a 
multisignature scheme suitable for such an environment should be required. 

Up to the present, various studies on multisignature have been proposed([4, 
13,11,8,1]). They are classified into two types: RSA([9j) based multisignature([4, 
8]), and discrete logarithm problem(DLP) based multisignature([13,ll,lj). All 
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schemes assume that a message is fixed beforehand since they suppose the fol- 
lowing scenario: a message fixed beforehand is passed and signed one by one 
through members in an organization like a company. Therefore these schemes 
cannot handle the following situation: an original message is passed and modi- 
fied by unspecified entities. Furthermore we want to guarantee such circulating 
message in the next point: who writes an original message, who modifies the 
message, to which the message is modified, and how order the message is mo- 
dified. In previous multisignature schemes([4,13,ll,8,l]), signing from the first 
signer is obliged to start only if one of signers wants to modify a message: these 
do not have a feature of message flexibility. Furthermore [4,11,8] have a feature 
of order verifiability neither. Order verifiability is first realized in [13,1]. Howe- 
ver they must designate order of signs beforehand. If we want to change order 
of signers, add a new signer, or exclude a signer, we are obliged to reset some 
data like public keys [1]: these have a feature of order verifiability but not order 
flexibility. Therefore previous schemes are not suitable for handling the above 
situation that a message circulates through unspecified entities. 

In this paper, we propose a basic model of multisignature scheme that has 
the following three features: 

Message flexibility: A message does not need to be fixed beforehand. There- 
fore each signer can modify an original message. 

Order flexibility: Neither order of signers nor signers themselves need to be 
designated beforehand. Therefore we can easily change order of signers, add a 
new signer and exclude a signer. 

Message and order veriflability: Each entity can verify who is an original 
author of a message, who modifies an original message and furthermore to which 
or how order a message is modified. 

We also present two practical schemes based on the DTP based message reco- 
very signature ([7]) and RSA signature ([4]). Furthermore we discuss some typical 
attacks against our scheme like a ordinary forgery, swapping order of signers, 
excluding a signer. We denote the functions to break DTP, forge our scheme 
in ordinary assumption, that in swapping order of signers, and that in exclu- 
ding a signer, by DLP, FORGE, SWAP, and Exclude, respectively. Then we prove 
the following theorems by using polynomial-time truth-table(<{/’) reducibility 
of function: 

(1) Forge ={f DLP, (2) SWAP =([ DLP, and (3) Exclude DLP. 

Furthermore we investigate a feature of Robustness in a multisignature scheme: 
a message cannot be recovered if the signature verification fails. Because un- 
authentic message might damage a receiver especially in case that a message 
circulate through unspecified entities. Therefore the following feature should be 
required: 

Robustness: If the signature verification on a message fails, then prevent such 
an unauthentic message from damaging a receiver. 
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We also propose a multisignature scheme with Robustness, multisigncrypt, 
which combines our multisignature with a function of encryption. Our multi- 
signcrypt has a feature that a message cannot be recovered if the signature 
verification fails. 

This paper is organized as follows. Section 2 summarizes a multisignature 
scheme([l]) and discusses several drawbacks in case that a message circulate 
through unspecified entities. Section 3 investigates a model of multisignature 
with flexibility and verifiability. Section 4 presents two practical schemes con- 
cretely and discusses the performance. Section 5 discusses the security on our 
multisignature scheme. Section 6 presents our multisigncrypt scheme. 



2 Previous Work 

In this section, we summarize a previous multisignature scheme([l]). 



2.1 Previous Multisignature Scheme 

We assume that n signers Ii, I 2 , ■■■, In generate a signature on a fixed message 
M according to order fixed beforehand. 

Initialization: A trusted center generates a prime p, g G Z* with prime order 
q, and set a hash function h{). A signer A generates a random number Oi G 
Z* as li’s secret key. Then A’s public key is computed sequentially as follows: 
Vi = 5 “^ (mod p), Pi = (pi-i ■ gY' (mod p). Then a public key of ordered group 
(A, I 2 , ..., h) is set to y = y„. 

Signature generation: 

(1) Generation of r : Signer /i, ...,/„ generate r together as follows. 

1. Ii selects ki £ Z* randomly and computes ri = g^^ (mod p). If gcd{ri,q) Y 
I, then select new k\ again. 

2. For i £ {2, ...,n}; a signer A_i sends to A. A selects ki £ Z* randomly 
and computes = r^i ‘ 9^' (mod p). If gcd{ri,q) yf 1, then select new ki 
again. 

3. r = n. 

(2) Generation of s: Signer Ii, ...,In generate s together as follows. 

1. Ii computes si = oi -I- k\r ■ h{r, M) (mod q). 

2. For i G {2, ...,n}; Ij_i sends Si_i to A. /j verifies that X 

(mod p), then computes Si = (si_i -I- l)ai -I- • h{r, M) (mod q). 

3. s = Si- 

(3) The multisignature on M by order (/i, ..., /„) is given by (r, s). 

Signature Verification: A multisignature (r, s) on M is verified by checking 

gS ly.^r-h(r,M) (niodp). 
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2.2 Drawbacks 

In this section, we discuss the drawbacks of the previous scheme in the following 
situation: each entity sends an original message or a modified message to others. 
In such a situation, a multisignature scheme should satisfy the following condi- 
tions: 

Message flexibility: A message does not need to be fixed beforehand. There- 
fore each signer can modify an original message. 

Order flexibility: Neither order of signers nor signers themselves need to be 
designated beforehand. Therefore we can easily change order of signers, add a 
new signer and exclude a signer. 

Message and order verifiability: Each entity can verify who is an original 
author of a message, who modifies an original message and furthermore to which 
or how order a message is modified. 

The previous multisignature has the following drawbacks considering the above 
situation although it realizes order flexibility: 

1. A message M should be fixed beforehand. This scheme does not allow any 
signer to generate a signature on his modified message. 

2 . A public key for multisignature should be determined by order of signers. 
Therefore after setting up a public key for multisignature, a signer can be neit- 
her added nor excluded. Even order of signers cannot be changed. 

3. The signature generation phase runs two rounds through all signers. 



3 Our Basic Multisignature Scheme 

This section proposes a basic model of multisignature schemes with flexibility 
and verifiability for both message and order. First we define the following nota- 
tions. An original message Mi is given by Ii. Mi_2,...i(* > 2 ) denotes a message 
which is added some modification by the i-th signer Ii. The difference between 
Mi^2,....i-i and which means the modification by It, is defined as, 

w* = Diff{Mi^2,...,i-i,Mi^2,...,i)- 

We also define a function Patch which recovers a message, 

Mi^2,...,i = Patch{mi,m2, ■■■, rm). 

For the sake of convenience, we denoted mi = Patch(Mi). We use a signature 
scheme with message recovery feature. The signature generation or message reco- 
very function is denoted by Sign{ski, mi) = sgrii, or Rec{pki, sgrii), respectively, 
where ski is h’s secret key and pki is J^’s public key. Let hi be a hash function. 
We also use two operations ® and © in a group G 



{A®B)qB = A{'iA,B&G). 




302 



S. Mitomi and A. Miyaji 



For example in case of G = Zp, ® and © mean modular multiplication and mo- 
dular inversion, respectively. Then the signature generation and verification are 
done as follows. Figure 1 and 2 show the signature generation and verification, 
respectively. 

Signature generation: 



ID - 
J J 



'■Sgnj.x ; 



j-1 






sk . 



Sign 



Sgn. 



J 

Si , r . 
J ’ J 



Fig. 1. 7j’s signature generation 



1. The first signer Ii generates a signature on hi{mi\\I Di) as follows, 

sgni = Sign{ski,hi{mi\\I Di)) = (ri,si), 

where a signature sgn\ is divided into two parts, r\ and si: r\ is the next 
input to /2’s signature generation, which is recovered by /2’s signature veri- 
fication. On the other hand, si is the rest of sgni, which is sent to all signers 
as it is. Then send (/£>i, si, ri, mi) as a signature on nii to the next. 

2. A signer Ij receives messages mi, m2, ...,mj_i from Ij-i- If j > 2, patch a 
message Mi^2,...,j-i as follows, 

Mi^2,...,j-i = Patch{mi,m2, ■■■, mj-i). 

Ij modifies Mi^2,...,j-i to Mi^2,...,j-i,j, computes the modification mj, 

= Diff{Mi^2,...,j-i,Mi^2,...,j), 

and generates a signature on mj by using rj_i of /^ ’s signature, 

sgrij = Sign{skj,rj-i © hi{mj\\IDj)) = (rj,Sj), 

where sgrij is divided into rj and Sj in the same way as the above. Then Ij's 
signature on mj is {rj,Sj). 

3. A multisignature of Mi^2,...,i = Patch{mi,m2, ■■,mi) by I\, I2, ■■■, h-i and 
A is given by {IDi,si,mi), (102, S2, W2), • • • , {IDi, Si,ri,m,). 

Signature verification: 

1. A verifier receives {IDi,si,mi),{ID2,S2,m2), - ■ ■ ,{IDi,Si,ri,mi) from a 
signer A. 
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Fig. 2. 7j’s signature verification step 



2. For j = i, i — 1, • • • ,2; compute 

Tj = Rec{pkj, (rj,Sj)) = rj-i ® hi{mj\\IDj), 
rj-i =TjQhi{mj\\IDj). 

Let j = j — I and repeat step 2. 

3. Finally compute 



Ti = Rec{PKpi,{n,si)), 



and verifies 



Ti Lhi{mi\\IDi) 

Our basic model satisfies the three features, message flexibility, order flexibility, 
message verifiability and order verifiability. Furthermore, we easily see that any 
message recovery signature can be applied to the above basic model. In the next 
section, we present two schemes based on DLP and RSA. 

4 Two Concrete Multisignature Schemes 

In this section, we give two examples based on DLP and RSA. 

4.1 DLP Based Scheme 

There are many variants of DLP based schemes in both types of message with 
appendix([3,12,2]) and message recovery signature([6,7]). For the sake of conve- 
nience, here we uses the message recovery signature scheme with DSA-signature 
equation ([7]). Apparently any message recovery signature scheme can be applied 
to our multisignature scheme. 

Initialization: An authenticated center generates a large prime p, g G Z* with 
prime order q. Two Zp-operations 0 and 0 in section 3 are defined as multipli- 
cation and inverse in Zp, respectively. Each signer generates a pair of secret key 
Xi G Z* and a public key pi = (mod p), and publish a public key pi with his 
identity information IDi. 
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Signature generation: 

1. The first signer I\ generates a signature on an original message mi. First 
generate ki G Zg randomly, compute i?i = (mod p), ri = (ft.i(TOi|| 
IDi))~^ ■ Ri (mod q), and si = {xivi + l)A:f ^ (mod q), where Ii’s signature 
on mi is (ri,si), and send (/-Di, si, ri, mi) to the next signer l 2 - 

2. A signer Ij{j > 2) receives j-i = Patch{mi,m 2 , • • • , mj-i), modifies 

Mi_... .j_i to Mi^...j. Then Ij generates a signature on the difference mj = 
Diff{Mi^... j_i, Mi_... j): generate kj G Zg randomly, and compute Rj = 
(mod p), Tj = {hi{mj\\IDj) x ■ Ri (mod q), and Sj = {xjVj + 

(mod q), where Ij's signature on mj is (rj,Sj). 

3. A multisignature of Mi^ 2 ,...,i = Patch{mi,m 2 , .-Tmi) by h,--- ,/i-i and li 
is given by (/I?i, si, mi), •••, (/A-i, Si_i, m*_i), {IDi, Si,ri,mi). 

Signature verification 

1. A verifier receives {IDi, si, mi), • • • , {IDi-i, Si-i,mi-i) and {IDi, Si, ri, mi) 
from the signer R. 

2. For j = i,i — 1, - ■ ■ ,3,2; compute i?' = (mod p), Tj = R) ■ r~^ 

(mod q), and rj_i = Tj ■ {hi{mj\\IDj))~^ (mod q) by using Ij's public keys 
Pj. Let j = j — I and repeat step 2. 

3. Finally compute R[ = g'^^ (mod p), and Ti = R[ ■ (mod q), and 

verify Ti Zhi{mi\\IDi) (mod q). 

Our multisignature based on ElGamal-type signature has a feature that each 
signer has only one pair of a public key and a secret key. 

4.2 RSA Based Scheme 

Here we present our multisignature scheme based on RSA multisignature ([4]). 
Initialization: An authenticated center publishes small primes {r;} = {2,3, 
5, • • • }. A signer R with identity information IDi generates two large primes pi 
and qi secretly, and computes public keys riij and tij G Z*^ ^ in such a way that 
nij = PtqiVi, Lij = LCM{{pi - 1), {qi - 1), (n - 1)), eijRj = 1 (mod L,j), 
by using |r;}. Signer A publishes all his public keys rnj, Cij and ri like Table 4.2. 

In RSA-based multisignature, both operations in Z„. , O and 0 are set to © 
(FOR), and R's signature sgrii is just the next input to R+Rs signature genera- 
tion: sgiii is not divided into two parts. 

Signature generation: 

1. The first signer Ji generates a signature on an original message mi: select a 
minimum number nij„ such that ni_;, > hi{mi\\IDi) and compute sgrii = 
{hi{mi\\IDi))'^^’G (mod nijR. Then send {IDi,mi,li,sgni) as a signature 
on mi to the next. 

2. A signer R receives mi, m 2 , ..., m^-i from R-i- If j > 2, patch the mes- 
sage Mi^ 2 ,...,j-i = Patch{mi,m 2 , ■■■,mj-i), modify it to Mi^ 2 ,...,j- Then R 
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generates a signature on rrij = select a mi- 

nimum number such that > sgrij-i © hi{mj\\IDj), and compute 
T = sgrij-i © hi{mj\\IDj), and sgrij = (mod rij^i^). 

3. A multisignature of = Patch{mi,m 2 , ■■,'n^i) by Ii,--- ,Ii-i and It 

is given by (IDi,li,mi), (/-D 2 , ^ 2 , W 2 ), •••, and sgrii). 

Table 1. Ids pairs of secret key and public key 



1 


1 


2 




ri 


ri 


T2 




public keys 


(rii,i, ei,i) 


(ni, 2 , 6 i, 2 ) 




secret keys 


di,i 


di ,2 





Signature verification: 

1. The verifier receives ( 102 , 12 , 1 ^ 2 ), ■■■, (IDi,li,rrii, sgrii) from 

a signer li. 

2. For j = i,i — compute T' = (sgnj)^i''i (mod rij^i^), and sgrij-i = 

hi(mj\\IDj) © T' by using Jj’s public key (nj,ij,^j,ij)- Let j = j — 1 and 
repeat step2. 

3. Compute T' = sgi\’‘^ (mod by using /I’s public key (ni^i^, and 
check T' ^hi(mi\\IDi). 

Our multisignature based on RSA has the following features: 1. The size of 
multisignature keeps low even if the number of signers increases, compared with 
DTP based scheme. 2. It is necessary for each signer to have plural pairs of secret 
and public key. 

4.3 Performance Evaluation 

We evaluate our two multisignature schemes from a point of view of computation 
amount, the signature size and the number of rounds, where the signature size 
means that the final multisignature by /i, • • • , /j, and the number of rounds me- 
ans how many times the process to generate the signature runs among all signers. 
There has not been proposed a multisignature with message flexibility, order fle- 
xibility and order verifiability. One primitive scheme with message flexibility is a 
simple chain of signature: each signer makes a signature on his own modification 
and sends it together with the previous signer’s signature. Apparently it does 
not satisfy order verifiability. We also compare our schemes with the primitive 
scheme. For a simple discussion, we assume the following conditions: 1. a primi- 
tive arithmetic of binary methods([5]) is used for computation of exponentiation; 

2. we denote the number of signers and the computation time for one n-bit mo- 
dular multiplication by i and M(n), respectively, where M(n) = ( — )^M(m); 

3. two primes p and q are set to 1024 and 160 bits respectively, in DLP-based 
signature schemes; 4. two primes pj and qj are set to 512 bits, and r; is less than 
10 bits in RSA-based signature schemes. 
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Table 2. Performance of DLP-based multisignature schemes 





Computation amount ^A/(1024) 


Signature 

size 

(bits) 


grounds 


Features 


li's signature 
generation 


signature 

verification 


Our scheme 


243 


483i 


160(i + l) 


1 


MF, OF, OV 


Primitive scheme 


242 


483i 


320i 


1 


MF 


Scheme([ll]) 


242 


481 -b 241i 


160 + 1024i 


1 


— 


Scheme([l]) 


483 


1778 


2048 


2 


OV 



MF: Message Flexibility, OF: Order Flexibility, OV: Order Verifiability 
Table 3. Performance of RSA based signatures 





Computation amount ^Af(1024) 


Signature 

size 

(bits) 


grounds 


Features 


li's signature 
generation 


signature 

verification 


Our scheme 


1536 


9i 


1024 -b lOi 


1 


MF, OF, OV 


Primitive scheme 


1536 


9i 


1024i 


1 


MF 



DLP based-multisignature schemes are mainly classified into two types, one- 
round scheme ([11]) and two-round scheme in Section 2. Generally, the signature 
verification phase in two-round scheme is more simple than one-round scheme. 
However the signature generation phase in two-round scheme, which runs twice 
through all signers, is rather complicated. Here we compare our scheme with 
the primitive scheme, one-round scheme([llj) and two-round scheme([lj) Table 
2 shows performance of 4 schemes. From Table 2, we see that only the com- 
putation amount for signature verification increases, and the signature size is 
even reduced, compared with the same one-round multisignature. Therefore our 
protocol can realize three features with message flexibility, order flexibility, and 
order verifiability only with negligible additional computation amount in signa- 
ture generation. 

Here we compare our RSA-based multisignature scheme with the primitive 
scheme. Table 2 shows performance of two schemes. From Table 2, we see that 
our protocol can realize three features, message flexibility, order flexibility, and 
order verifiability, with neither additional computation amount nor signature 
size. 

5 Security Consideration 

In this section, we discuss the security relation between our DLP based multisig- 
nature scheme and DLP. We assume that all signers except for an honest signer 
In collude in attacks: attackers use all secret keys Xj{j ^ n), random numbers 
kj, public information like public keys, all messages mi, • • • , m„ G Z and valid 
partial signatures. By using these informations, attackers try to forge A’s sig- 
natures. For simplicity, we denote the sequence xi, X 2 , by X[i_„] and the 
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sequence X\,X 2 , Xi_i, Xj+i , Xn by X[i n,i], where 1 < z < n. We also denote 
Xi,X 2 , ■■■,Xn € Zg by xyi n] G Zg- In our security proof, we use the polynomial- 
time truth-table(<^^jj) reducibility of the function version([10]), which discusses 
passive attacks. In only k non-adaptive queries to an oracle are allowed. 

5.1 Functions 

First we define some functions. 

Definition 1. DLP(Ai, q) is the function that on input two primes p, q with 
q\{p — 1), X, (/ G Z* outputs a G hq such that X = g°" (mod p) if such a G hq 
exists. 

We define the function Forge that forges I„’s valid signature (r„, Sn) on 
in order by using available public information, a signature on by 

and available secret data like X[i „_ij and for attackers /[i „_ij. 

Definition 2. Forge(z/„, g,p, q, r„_i, fc„) is the 

function that on input two primes p, q with q\{p — 1), yn,g G Z*, 

r„_i, kn G Z*, IDn G Z, outputs (r„,s„) G Z* x Z* such that 

tj = g^i ^ (mod p), Tj = tj-rj^ (mod q), and rj_i = Tj ■ {hi{mj\\I Dj))~^ 

(mod q) for j = n,n — 1,...,3, 2 and that t\ = ^ (mod p) and T\ = 

t\ ■ rf^ (mod q) if such (r„,s„) G Z* x Z* exists. 

Next we define the function Exclude that forges 7„’s valid signature (sjj, kn) on 
„_i] in order by using available public information, a signature 

on by 7[i,n] and available secret data x^i^n-i] and for attackers 

Definition 3. Exclude(z/„, g,p, g, S[i_„] , r„) is the func- 
tion that on input two primes p, q with q\p — 1, g, j/„ G Z*, JD[i „] G Z, 

Xn, S[l,n] G ^q, OUtput {s'n, kn) G Z* X Z* SUch that Rn = (mod p) , 
x'n = (hi(mnlUDn) (mod q), and s'„ = (x„r(,-|- 1)7“^ (mod q), for 

-1 r s~^ 

j = n — 2, - ■ ■ ,2: tj = yd ■> (mod p), Tj = tj ■ rj^ (mod q), and rj_i = 

Tj ■ {hi{mj\\IDj))~^ (mod q), and that ti = ^y[^ (mod p), Ti = ti ■ rf^ 

(mod q) if such {s'n,kn) G Z* x Z* exists. 

Next we define the function SWAP that forges valid multisignature on TO[i „_ 2 ], 
m„, rrin-i in order /[i^„_ 2 ], In, In-i by using available public information, a valid 
multisignature {rn, S[i,n]) on TO[i „] by 7[i,n] and available secret data xp „_ij and 
k[i,n-i] for attackers I[i^n-i] ■ From the assumption that are attackers, the 

function SWAP that forges I„’s signature (r„, s„) on m[i^„_ 2 ], ztz„, m„_i in order 
-f[i,n- 2 ]. In, In -1 for a valid signature (r„, S[i,„]) on by is just the same 

as the function that computes Exclude and adds attacker /„_i’s signature on 
■'^[i,n- 2]5 xrin, nrin-i in order I[\^n- 2 \, In, In-i- Oppositely, the function Exclude 
is just the same as the function that for a valid signature (r„, S[i_„]) on by 

I[i,n], computes SWAP and outputs only I„’s multisignature (r„,s„). Therefore 
the following theorem holds. 
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Theorem 1. SWAP Exclude. 

For the sake of the following proof, we define the function SIGN that generates a 
valid signature (r„,S[i „]) on messages by signers by using all secret 

data X[i^n] and fc[i,n] of signers /[!,«]• This function means just the signature 
generation function. Apparently it is easy to compute SIGN. 

Definition 4. SIGN(g,p, g, /D[i „]) is the function that on 

input two primes p, q with q\{p—l), g € Z*, cc[i G Z*, TO[i G Z, 

-1 r s~^ 

output G Z* such that for j = n, ...,3, 2, tj = ^ (mod p), 

Tj = tj ■ r~^ (mod q) and rj-i = Tj ■ {hi{mj\\I Dj))~^ (mod q) and that t\ = 

gSi ^*1 (jiiod p), Ti = t\ ■ rf^ (mod q) if such rn, G Zq exists. 

5.2 Reduction among Functions 

Here we show our results. First we set functions 'tpi to give the z-th element, 
■*/'i(a[i,n]) = ai(i < n). 

Theorem 2. Forge ={?((( DLP 

proof: First we show that Forge For inputs (j/„, g, p, q, /Dp 

r„_i) of Forge, fix k„ G Zq and set R„ = 5'=" (mod p), r„ = 
r~^i ■ /ii(to„||/D„)-i • Rn (mod p). Then 

Forge(p^, p,p, (7, /Dp^^j, X^\^n—l]^^[l.n—l]^ ^n— 

=(r„, (DLP(p„,p,p,(?)r„ + l)k~^ (mod q)). 

= (r„,s„). I 

Next we show that DLP <{(((( Forge. For input (t/„, g, p, q) of DLP, fix fc[i „] G Z*, 
nz[i,n]) ID^i n] G x^i n-i] G Z*, and set 

(Xn—l 7 ^[l,n— 1] ) Qj l]j ^[l,n— Iji 1] ) ? 

which is computed in time polynomial from the definition. Then 
DLP(y„,5,p, q) 

= (V'2(Forge(y„,p,p,g, m[p„], /D[i_„], sp,„_i],r„_i, /„))•/„- l)r“\ 

where r„ = f/'i (Forge (j/„, g, p, q, /D[p„j, sp^„_ij, r„_i, fc„)) and 

= I 

Therefore we get DLP={(((jForge. I 
Theorem 3. Exclude DLP 

proof: First we show that Exclude <(^^^DLP. For inputs (j/„, g, p, q, 

/D[i sp_„], rn) of Exclude, fix fc„ G Zq, and set Rn = 5^" (mod p), 

and r'n = r~l 2 ' hi{mn\\IDn)~^ ■ Rn (mod p). Then 

Exclude(pyj, p, p, TTZp , /Dp yjj , X^i^n—l]T^[l,n]Tnjkn) 

= ((DLP(p„, 5, p,p)r(, + (mod q),kn) I 
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Next we show that DLP Exclude. For inputs (y„, g, p, q) of DLP, fix 

^[i,n-i] G G Z, X[i „_i] G Z*, and set 

{rn-2, S[l,n-2]) = SIGN(5,p, q, Xli^n-2 ] ; fc[l,n- 2 ] ) W[i_„_ 2 ] , ID[i „,-2])j 

which is computed in time polynomial from the definition. Then 
DLP{yn,g,p,q) = (s'„ • fc„ - 1 ) • r'~^, where 
s'n = V'i(Exclude(y„, 5 ,p, g, TO[i,„], S[ i,„],r„)), 
kn = V' 2 (Exclude(y„,g,p,g, , S[i,„],r„)), 

Rn = (mod p), and = (r„_2 • • i?„ (mod g). I 

Then we get DLP={((((Exclude.l 

6 Further Discussion 

We discuss how to add the following feature to our multisignature scheme. 

Robustness: If the signature verification fails, then prevent such an unauthen- 
tic message from damaging a receiver. 

We realize robustness by combining our multisignature with an encryption func- 
tion. So we call it multisigncrypt. Multisigncrypt nd has a feature that a message 
cannot be recovered if the signature verification fails, in addition to message fle- 
xibility, order flexibility, and order verifiability. Therefore a multisigncrypt can 
prevent computer virus mixed into a message from damaging a receiver since 
unauthentic message can not be recovered. 

6.1 Multisigncrypt Scheme 

For simplicity, we present the multisigncrypt scheme by using our basic multi- 
signature scheme. 

Initialization: A center publishes two hash functions h\ and /12, and an en- 
cryption and the decryption function, E{Ki,rrii) and D(Ki,Ci), in addition to 
initialization in basic multisignature scheme, where ft-2 is used for computing a 
session key Ki for E and D, and Ci is a cipher text. 

Signature generation: 



m . 
J 



\Sgnj.2 




Fig. 3. Ij’s signature generation 
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1. The first signer Ii computes 

sgni = sign{ski,hi{mi\\IDi)) = (ri,si), 

where sgn\ is divided into two parts of r\ and si in the same way as Section 3, 
generates a session key K\, 



Ki = h2{hi{mi\\IDi)), 

and encrypts mi\\IDi by an encryption function E, 

Ci = E{Ki,mi\\IDi), 

and sends {IDi, si, ri, Ci) to the next signer l 2 - 

2. A signer Ij verifies the signature from Ij-i, mi, ■ ■ ■ ,mj-\ according to the 
verification step in the next page, and modifies Mi ... j_i = Patch{mi, ■ ■ ■ , 
mj-i) to Ml ... j. Then Ij generates a signature on the difference mj = Diff 
(Mi^... Mi_... j-ij): compute 

sgrij = Sign{skj,rj_i ® hi{mj\\IDj)) = (rj,Sj), 

Kj = h 2 {rj-i 0 hi{mj\\IDj)), 
and encrypts mj\\IDj by using the session key Kj, 



Cj = E{Kj,m,\\ID,). 

3. A multisignature on Mi^ 2 ,...,i = Patch{mi,m 2 , ■■,mi) by /i, • • • , A is given 
by (IDi,si,Ci), (ID2,S2,C2), ■■■, {ID,, Si,n,Ci). 



Ij signature 




Fig. 4. Jj’s signature verification step 



Signature verification: 

1. The verifier receives {IDi, si, Ci), ■■■, (/A-i, Si-i, ri-i, Ci-i), {IDi, s,, 
Ti, Ci) from the signer A. 
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2. For j = i, 3, 2: compute 

Tj = Rec{pkj,{sj,rj)),andKj = h 2 (Tj), 
and decrypts rrij and IDj by 

mr\\IDr = D{K„Cj). 

If IDj =IDj holds, then accept the signature and recover Vj-i, 

= Tj 0 hi{m'j\\ID'j). 

Set j = j — I and repeat step 2. 

3. Compute 



Ti = Rec{pki,{si,ri))a,ndKi = h 2 {Ti), 
and decrypt nii and IDi by 

m[\\ID[ = D{Ki,Ci). 

If hi{m[\\ID[) X?! holds, then accept the signature and finally patch all 
messages, 



Ml ... i = Patch{mi, • • • , rrii). 

In both cases of DLP- and RSA-based multisignature schemes, we can also add 
the feature of Robustness in the same way as the above. 

7 Conclusion 

In this paper, we have proposed a new multisignature scheme suitable for circu- 
lating messages through Internet. Our multisignature scheme realizes the three 
features, Message flexibility. Order flexibility and Order verifiability, maintaining 
both signature size and computation amount in signature generation/ verification 
low: only the computation amount for the signature verification increases, and 
the signature size is even reduced compared with one round previous multisig- 
nature scheme. We have also proposed the multisigncrypt scheme, which realizes 
Robustness in addition to Message flexibility, Order flexibility and Order veri- 
fiability. Furthermore, we have proved the following equivalences between our 
DLP-based multisignature and DLP in some typical attacks by using the redu- 
cibility of functions. 

1. forge={pdlp 

2. SWAP=f/’DLP 

3. EXCLUDE^ffDLP 
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Abstract. In this paper, we examine a broadcast exclusion problem, i.e., 
how to distribute an encryption key over a channel shared by n entities 
so that all but k excluded entities can get the key. Recently, J. Anzai, 
N. Matsuzaki and T. Matsumoto proposed a scheme that provides a 
solution to the broadcast exclusion problem. Their solution is to apply 
{k + l,n + k) threshold cryptosystems. In this scheme, the transmission 
overhead is 0{k) and each entity holds a fixed amount of secret key. Ho- 
wever, each entity must compute the encryption key with k + 1 modular 
exponentiations. Therefore, a device with low computing power (e.g., a 
mobile terminal or a smart card) cannot calculate the broadcast key wit- 
hin a reasonable time. In this paper, we propose a new scheme in which 
each entity computes the key with only two modular exponentiations, 
regardless of n and k. We accomplish this by assuming a trusted key dis- 
tributor, while retaining the advantages of Anzai-Matsuzaki-Matsumoto 
scheme, i.e., the transmission overhead is 0(k), and each entity holds a 
fixed amount of secret key regardless of n and k. 



1 Introduction 

Background. A broadcast encryption allows a center to send the same message 
simultaneously and privately over a broadcast channel to all authorized entities. 
Cable and satellite Pay-TV, Internet multicasts and group telecommunications 
(e.g., private mobile radio or taxi radio) are typical examples of systems that can 
use the broadcast encryption. In these systems, it is desired a secure and fast 
method to distribute a shared key (which is called broadcast key in this paper) 
with all the authorized entities. 

This paper focuses on a broadcast exclusion problem (also known as a black- 
listing problem) that is a kind of the broadcast encryption. The broadcast exclu- 
sion problem is how to transmit a broadcast key over a broadcast channel shared 
by n entities so that all but k excluded entities can get the broadcast key. With- 
out the exclusion, an unauthorized entity could eavesdrop the secret broadcasting 
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using the telecommunications terminal which an authorized entity has lost. It 
is important to exclude this terminal as quickly as possible. Also, the broadcast 
exclusion will prevent entities from using paid service like Pay-TV and Internet 
access without paying a charge. 

Previous works. One simple method of the broadcast exclusion is that a cen- 
ter sends a new broadcast key to each entity except the excluded entities, as 
encrypted form by a secret key of each non-excluded entity. This method requi- 
res a small amount of storage for each entity, since each entity stores only one 
secret key. However, the center must transmit n — k keys. This means that a 
large amount of transmission is required when n is large, where n is the number 
of all entities on the broadcast channel. 

Recently, two major works on the broadcast exclusion problem have been 
presented. One method proposed by Kumar, Rajagopalan and Sahai [8] uses 
error-correcting codes without computational assumptions. 

Another method proposed by Anzai, Matsuzaki and Matsumoto [1] uses 
(A: -I- 1, n -I- fc) threshold cryptosystems in order to simultaneously exclude up to 
k entities. The transmission overhead is 0{k) regardless of n, and each entity 
has only one key. Moreover, there is no requirement for a fixed-privileged key 
distributor. However, this scheme requires each entity to compute the broadcast 
key with fc -|- 1 modular exponentiations. The parameter k should be set a large 
integer to strengthen against a conspiracy attack. Using a large value for k, de- 
vices with low computing power (e.g., mobile terminals, smart cards, etc.) take 
a long time to calculate the broadcast key. 

Our result. This paper proposes a new scheme in which each entity compu- 
tes the broadcast key with two modular exponentiations, regardless of n and k. 
This allows even low-powered devices to calculate the broadcast key in a short 
period of time. Our scheme uses (A: -I- 1, n -I- fc) threshold cryptosystems, similar 
to Anzai-Matsuzaki-Matsumoto scheme. The transmission overhead is 0{k) and 
each entity stores a fixed amount of secret key regardless of n and k. The only 
additional assumption is the introduction of a fixed-privileged key distributor, 
that is a reasonable assumption in actual applications. 

Organization. Section 2 describes previous works in this area and states our 
goal. Section 3 describes our target system and some assumptions. Section 4 
shows our approach and the basic scheme, and analyzes the problems. Section 
5 proposes our scheme as the result of considerations in section 4. Section 6 
discusses the security of our proposed scheme. Section 7 describes the other 
considerations. Section 8 evaluates the performance and features of our scheme. 



2 Previous Works and Our Goal 

Related works. In [7], Fiat and Naor introduced a general idea of a “broadcast 
encryption!' wherein a center securely broadcasts a broadcast key or a message 
to selected subsets of entities. Also, they proposed a scheme which is resilient 
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to any coalition of k entities, wherein every entity stores O(fclogfclogn) keys 
and the center broadcasts 0(fc^(log log n) messages. A number of works have 
followed [2] [3] [5] [9] , which focused mainly on the trade-off between the number 
of broadcasts and the number of keys held by each entity. 

On the other hand, many researchers have investigated a broadcast exclu- 
sion problem that is a kind of the broadcast encryption. Two research groups of 
Wallner, Harder and Agee [12] and Wong, Gouda and Lam [13] proposed a hier- 
archical key distribution scheme using a balanced binary tree. In this scheme, 
the transmission overhead is 0{{degree — 1) x logn) and the number of keys 
for each entity is O(logn), where n is the number of entities on the broadcast 
channel and degree is the number of entities in the bottom subgroup of hier- 
archical tree. Canetti, Garay, Itkis, Micciancio, Naor and Pinkas proposed an 
extended method [4] which reduces the amount of transmission. And, Ganetti, 
Malkin and Nissim [5] studied the trade-off between the number of broadcasts 
and the number of keys held by each entity. 

Recently, two works on the broadcast exclusion have been presented: one by 
Kumar, Rajagopalan and Sahai [8] and one by Anzai, Matsuzaki and Matsumoto 
[1]. In Kumar-Rajagopalan-Sahai scheme, each entity has an individual subset 
of keys. Redundant pieces of a message using an error-correcting code, are en- 
crypted by keys belonging to non-excluded entities. The transmission overhead 
is 0{k^) regardless of n. And, the number of keys stored by each entity is 
0{k X logn), still depending on the number of entities in the group. 

Anzai-Matsuzaki-Matsumoto scheme. Anzai, Matsuzaki and Matsumoto 
proposed a scheme [1] using (fc -I- 1, n -I- A:) threshold cryptosystems to exclude 
up to k entities simultaneously. Their basic scheme is as follows: 

— A center divides a secret key S into n-\-k shadows with threshold fc -I- 1 using 
a well-known secret sharing scheme [11]. And, he distributes n shadows to 
each of n entities in a secure manner. He stores the remaining k shadows as 
spare shadows, (fc-l- 1, n-l-A:) secret sharing scheme is a probabilistic mapping 
of a secret to n -I- A: shadows, such that 

(a) the secret can be reconstructed from any A: -I- 1 out of n-l- A; shadows, and 

(b) no subset of k shadows reveals any partial information about the secret. 

— When the center excludes d entities, he broadcasts k shadows, i.e., d shadows 
of excluded entities plus k — d spare shadows. The transmission overhead is 
0{k) regardless of n. 

— A non-excluded entity can recover S using A: -I- 1 shadows, i.e., his secret key 
plus the broadcast shadows. The excluded entity cannot recover S because 
one of the broadcast shadows is his own secret key, and he can get only k 
shadows. 

In order to exclude other entities in the next round, a center shall generate a new 
secret key S' and distributes new shadows of S' to each of the entities secretly, 
since the secret key S has come out to all the non-excluded entities, who include 
the excluded entities in the next round. The center cannot do frequent key 
renewal because the distribution of shadows to each of entities takes a long time 
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when n is large. They modify their basic scheme to broadcast the shadows {s^} 
lifting to the exponentiation part with a random number, i.e., modp}. 

And, each non-excluded entity obtains the broadcast key mod p, gathering 
k + I shadows of the secret S on the exponentiation part. This approach is 
similar to the threshold cryptosystems proposed by Desmedt and Frankel in [6]. 
The transmission overhead is 0{k) regardless of n. And, each entity needs to 
hold only one secret. Therefore, the center can do the quick broadcast exclusion 
when n is large. And, their scheme is suitable for an entity with a small memory, 
compared with the other schemes. Moreover, any entity can exclude any other 
entity, using modp} on a public bulletin board. 

However, this scheme requires each entity to compute the broadcast key with 
A: + 1 modular exponentiations. The parameter k should be set a large integer 
to strengthen against a conspiracy attack. Using a large value for k, it takes a 
long time for entities with low computing power (such as a mobile terminal and 
a smart card) to calculate the broadcast key. 

Our goal and approach. Our goal is to propose a scheme in which the number 
of modular exponentiations for each entity can be kept small (regardless of n 
and k). Our approach is to distribute the shadows of excluded entities on the 
multiplicative group of the base field, with unknown parameters to conceal the 
shadows. To achieve our goal, we compromise to introduce a fixed-privileged 
key distributor who knows all secrets and determines the excluded entities. We 
consider the assumption of the key distributor is reasonable in several actual 
applications. 



3 Target Model and Assumptions 

Our target model consists of the following components: 

Key distributor: A trusted party who decides system parameters. He sets and 
stores all of the entities’ secret keys. He alone can decide who should be 
excluded, and distributes the broadcast key for all the valid entities, except 
for the excluded entities. 

Entity i: A user or a terminal sharing the same broadcast channel. Entity i 
stores a secret key s^D We assume that the number of total entities is n. Let 
^ = {1, 2, ..., n} be the set of the entities. 

Excluded entity j: An entity to be excluded by the key distributor. Let A(c d>) 
be the set of excluded entities, having d entities. 

Valid entity v: An entity who is not an excluded entity. 

In this target model, we make the following system assumptions: 

1. All entities trust the key distributor. The key distributor doesn’t do anything 
illegal. 

2. All entities have simultaneous access to the data that the key distributor 
broadcasts. 
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3. The broadcast channel is insecure, i.e., anyone can see the data on the chan- 
nel. 

4. The number of all entities is very large compared with the number of exclu- 
ded entities, i.e., d is a small percentage of n. 

We also make the following assumptions on the security: 

1. A discrete logarithm problem is computationally hard to solve. 

2. In (A: -I- 1, n -I- k) threshold cryptosystems, anyone with less than or equal to 
k shadows cannot get any information about the secret. 

3. Excluded entities may conspire to get the broadcast key. 

4. Excluded entities may publish their secret information to damage the system 
security. 

5. Valid entities do not conspire with excluded entities. If this assumption is 
not satisfied, the excluded entity can get the broadcast key from the valid 
entity. 

4 Our Approach 

We modify Anzai-Matsuzaki-Matsumoto scheme as to distribute shadows of 
excluded entities on the multiplicative group of the base field, to reduce the 
number of modular exponentiations. In this section, we show the basic scheme 
and its problems. 



4.1 Basic Scheme 

The scheme contains three phases: the system setup, the key distribution by the 
key distributor and the key calculation on each valid entity. 

[System Setup] 

First, a key distributor does system setup. He generates system parameters and 
secret keys of all entities as follows: 

1. The key distributor decides the following system parameters and publishes 
them: 

— n: the number of entities 

— d\ the number of excluded entities 

— k: an integer such that 0 < d < k < n 

— p: & large prime number such that n + k < q 

— q: a, large prime number such that q \ p — 1 

— g: a < 7 *^ root of unity over Zp 

2. The key distributor generates a system secret S £ Zq and stores it secretly. 
The key distributor divides S into n + k shadows with threshold fc-l- 1, using 
the well-known secret sharing scheme by Shamir [11]. Let Si (i = 1, ..., n+k) 
be the n + k shadows. 
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3. The key distributor distributes Sj to the corresponding entity i in a secure 
manner. 

[Key Distributor] 

Whenever the key distributor wants to re-new the broadcast key excluding sel- 
ected entities, he generates and broadcasts the data as follows: 

1. The key distributor selects a random number r G Z^, and calculates prepa- 
ration data: 

X = mod p. (1) 

2. The key distributor decides entities to be excluded. Let A be the set of 
excluded entities, and d be the number of excluded entities. 

3. The key distributor picks k — d integers arbitrary from aset {n-|-l, 

Let 0 be the set of chosen integers. Then, the key distributor calculates k 
exclusion data: 

rrij = r X Sj mod q. ( j G A U 0) (2) 

4. The key distributor broadcasts the following broadcast data to all entities: 

b= X \\ \ j G AU0}, (3) 

where || indicates the concatenation of the data. 

5. The key distributor calculates the broadcast key u as follows: 

M = modp. (4) 



[Valid Entity v ^ A] 

Receiving the broadcast data from the key distributor, a valid entity v calculates 
the broadcast key u as follows: 



M = X 5^2 jnod p, (5) 

where 

rcl = s„ X L{v) mod q, 

w2 = {nij X L{j)) mod q, 

jeAu0 

and L{j) is a Lagrange’s interpolation polynomial: 

L{j)= n (8) 

teAueu{v}\{j} 

Every valid entity can obtain the common broadcast key u with only two 
modular exponentiations. The calculation amount of modular multiplication and 
modular addition in equation (5)(6)(7)(8) is negligible compared with a modular 
exponentiation. The broadcast key shown in equation (5) is the same as the key 



( 6 ) 

( 7 ) 
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of the key distributor as follows: 

u = ^ (mod p) 

= (mod p) 

= ^^xiO) (j^qJ p-^ 

= 3 ’'"=^ (modp). 

[Excluded Entity j G A] 

On the other hand, an excluded entity j can not calculate the broadcast key u. 
The exclusion data includes the secret key Sj of excluded entity j. Using equation 
(5), he can gather only k shadows of the system secret S in the exponentiation 
part. Also, an outsider cannot get the broadcast key u because he can get only 
k broadcast shadows. 

4.2 Discussion on Security of the Basic Scheme 

In this section, we describe the basic scheme has several problems on the security. 
Before the security analyses, we arrange the parameters as follows: 

System secret: S, all Si and the random number r 

Entity secret: Si 

Valid entity secret: broadcast key u = mod p 

Public data: public parameters n, k, p, q, g 

and all broadcast data including 
the preparation data X = g^ mod p, 
and the exclusion data m,j 

First, we will discuss the security of the system secret S. Suppose that an 
entity knows the parameter S. He can obtain any broadcast key u = mod p, 
using the public preparation data X, even if the key distributor does not want 
to share u with the entity. 

Therefore, S must be concealed from all entities including valid entities. In basic 
scheme, however, S may be obtained by the following two attacks: 

Secret publish attack: Suppose that the number of excluded entities is k, i.e., 
d = fc. If all the excluded entities publish their secret shadows Sj, any valid 
entity can calculate S using k + 1 shadows: his own secret and k published 
shadows. 

Spare shadow attack: Suppose that the key distributor uses the same spare 
exclusion data for each of R rounds. If the broadcast data b contains one 
exclusion data and k — 1 spare exclusion data for each of R rounds, an 
attacker gets fc x i? equations (shown in equation (2)) in fc — l+2i? unknowns: 
k — 1 spare shadows, R shadows of excluded entities and R random numbers. 
The attacker will get S using k — 1 + R shadows, by solving as soon k x R 
exceeds fc — 1 + 2R, for example k = A and R = 2. 
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To avoid the secret publish attack, d shall be less than k: i.e., d < k. And, to 
strengthen against the spare shadow attack, the key distributor shall generate 
new spare shadows of S for each round. 

Next, we will discuss the security of the random number r. An excluded entity 
j can get the random number r from the exclusion data shown in equation (2), 
using his secret shadow sj. So, we consider an attack as follows: 

r publish attack: Suppose that an excluded entity publishes the random num- 
ber r to all. Then, any entity can get k shadows from the exclusion data, 
using published r. So, 

— any entity can get more than k+l shadows for at least two rounds, and 

— a valid entity can reconstruct the system secret S by adding his shadow 
to k shadows. 

To conceal the random number r for any entity, we will introduce new unknown 
parameter tj for each entity j into the exclusion data in equation (2), namely 
nij = r X Sj + tj mod q. Nevertheless, if the key distributor sends the exclusion 
data of the same entities for more than two times, using the different random 
numbers, the random numbers can be solved with the conspiracy. For example, 
four unknown parameters (two random numbers, tj and tk) can be solved by four 
equations with the conspiracy of the excluded entity j and entity k. So, when the 
key distributor continues to exclude the entities who have been excluded in the 
last round, he should not re-send the exclusion data for them. The key distributor 
encrypts the broadcast data by the last broadcast key. The excluded entities 
in the last round who does not have the last broadcast key, are continuously 
excluded. 



5 Proposed Scheme 

As the result of considerations in the previous section, we propose the following 
scheme. Our proposed scheme can be based on an appropriate discrete logarithm 
problem defined over finite cyclic groups, including subgroups of Jacobians of 
elliptic curves and so on. In order to make the explanation be simple, we explain 
our scheme over a prime field Zp. 

[System Setup] 

1. The key distributor decides the following system parameters: 

^ n: the number of entities 

— d: the number of excluded entities 

— k: an integer such that 0 < d < k < n 

— p: a, large prime number such that n + k < q 

— q: a large prime number such that q \ p — 1 

— g. a q*^ root of unity over Zp 
— E{,): a symmetric cipher 
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2. The key distributor generates a system secret S € Zq and stores it secretly. 
The key distributor chooses a random polynomial F of degree k + 1 over Zq 
subject to the condition f(0) = S, in the same way as Shamir’s secret sharing 
scheme. Then, the key distributor computes n shadows Si {i = 1,2, ...,n) 
as F{i). Here, we assume yf 0 for every i. If Si = 0, the key distributor 
changes the identity number from i to i' of the entity, wherein Si' yf 0. 

3. The key distributor generates another system secret T G Zq and stores it 
secretly. The key distributor chooses another random polynomial G of degree 
fc + 1 over Zq subject to the condition G(0) = T. Then, the key distributor 
computes n shadows ti {i = 1, 2, ..., n) as G{i). 

4. The key distributor distributes [si(yf 0),fi = mod p\ to the correspon- 
ding entity t in a secure manner. 

[Key Distributor] 

Let’s assume that all valid entities have shared the broadcast key U' on round 
R.li R= 0, U' is a fixed universal secret. After that, the broadcast key on round 
i?-|- 1 is distributed as follows. 

1. The key distributor selects the random number r G Zq and calculates: 

X = mod p. (9) 

2. The key distributor decides which entities to exclude among the valid entities 
on round R. Let A be a set of d excluded entities. 

3. The key distributor picks k — d integers which are greater than n+kx (R—1) 
and less than n + k x R. Let O be the set of chosen integers. The key 
distributor calculates si = F{1) and ti = G{1) for each I G O. Then, the key 
distributor calculates k exclusion data as follows: 

Mj = r X Sj + tj mod q. {j G A\J O) (10) 

4. The key distributor calculates the broadcast data B and encrypts it by U' 
as follows: 

E{U',B) = E{U',X II I j G AUG}). (11) 

5. The key distributor calculates the broadcast key U: 

^^^rxS-HTmodp. (12) 

[Valid Entity v ^ A\ 

Receiving the encrypted broadcast data, valid entities on i?-|-l round who are also 
valid entities on R round, decrypt it using U' . Then, a valid entity v calculates 
the broadcast key U for round i?+ 1 as follows: 

U={Xx /„)^i X g^^ mod p, (13) 

where 

Wl = Sy X L{v) mod q, (14) 

W2= (^i ^ ^0')) mod q. (15) 

jeAue 
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Every valid entity can obtain the common broadcast key U with only two 
modular exponentiations. The calculation amount of modular multiplication and 
modular addition in equation (13)(14) (15)(8) are negligible compared with a 
modular exponentiation. The broadcast key shown in equation (13) is the same 
as the key of the key distributor as follows: 

u={g^ X X (mod p) 

= X (mod p) 

= g*'^Ejeyiueu{«} X-f-O) ^ gEj(=yiu©u{u} b x.t'(i) (mod p) 

= grxS+T (modp). 

Finally, we consider an attack to modify and forge the broadcast data. To 
avoid the attack, the key distributor puts his signature to the broadcast data. 
Here, we propose a scheme that requires three modular exponentiations to cal- 
culate the broadcast key with the signature verification, applying a message 
recovery signature technique proposed by Nyberg and Rueppel [10]. The key 
distributor calculates his message recovery signature using his secret key Xq: 

H = hash{j II Mj), j S T U 0 (16) 

Z = {H X {—Xo) + r) mod q, (17) 

wherein hash is a public hash function. The key distributor generates the broa- 
dcast data B using Z instead of the preparation data X. Therefore, the trans- 
mission amount does not increase. 

Receiving the broadcast data, the valid entity obtains the broadcast key U with 
three modular exponentiations, using the public key j/o of the key distributor: 

C/ = 5^1 modp, (18) 

where, 

zl = Z X Sv X L{v) -I- ^ {Mj X L{j)) mod q, 
iGziue 

z2 = H' X Sy X L{v) mod q, 
z3 = Sy X L(v) mod q, 

H' = hash{j II Mj). j G T U 0 

The above equation is led from the equation: 

X = g'' (mod p) 

= 9^'^Vo' (modp), 

that means that the preparation data X can be recovered from Z using the 
public key po- 
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6 Security Analyses 

First, we consider the security of the system secret S. Because the number of 
excluded entities is less than (not equal) the integer k, the secret publish attack is 
not possible. And, the key distributor uses fresh k — d spare shadows Sj {j G 0) 
for each round to strengthen against the spare shadow attack. 

Concerning the security of the random number r, each excluded entity j 
(without the conspiracy) can not get r because new unknown parameter tj is 
introduced in equation (10). Moreover, even if all excluded entities make the 
conspiracy, they cannot solve k simultaneous equations because the number of 
unknowns is A: + 1: k secret shadows tj and the random number r. Also, the 
excluded data of excluded entities are not re-used. So, any entity cannot solve si- 
multaneous equations to get the random numbers. The key distributor continues 
to exclude the entities who have already been excluded last round, encrypting 
the broadcast data by the last broadcast key. 

Next, we will discuss the security of mod p. mod p and T must be 
concealed from all the entities. And, our proposed scheme conceals and T 
from all entities by the same proof as the system secret S. The reason why 
g"^ mod p must be concealed is as follows: suppose that an entity knows g^ mod p 
and broadcast keys Ui and C/ 2 - Then, he can get another broadcast key C /3 
where the corresponding preparation data A 3 = Ai x A 2 , by calculating C /3 = 
Af X X g"’" mod p, wherein Af = Ui/g'^ mod p and A|^ = Uij g^ mod p. 

Finally, we consider an attack to modify and forge the broadcast data. The 
key distributor can add the message recovery signature into the broadcast data 
without increasing the amount of transmission data. Then, the valid entities do 
not share the forged the broadcast key even if an attacker modifies and forges 
the broadcast data. Moreover, we consider that a time-stamp on the broadcast 
data is necessary to prevent a replay attack. 

7 Other Considerations 

New entity: When a new entity wants to join the broadcast group, the key 
distributor decides his unique identity number c which has not been used 
yet as the entity identification nor spare one. The key distributor calculates 
his secret key using F[c) and G(c), and sends it and the present broadcast 
key to him in a secure manner. If a previously excluded entity wants to join 
again, the key distributor issues a new identity number and a new secret key. 
This procedure does not affect the existing entities. 

How to decide a parameter k\ The key distributor can exclude k—1 entities 
for one time at the maximum. And, the parameter k determines the amount 
of broadcast data. Moreover, k determines the lifetime of the broadcast key 
against the conspiracy. Because k + 1 entities with the conspiracy can obtain 
the system secret S, the key distributor shall re-set the system parameters 
before the total number of excluded entities becomes over fc -|- 1. Therefore, 
the key distributor should decide the parameter k to fit for an actual system. 




324 



N. Matsuzaki, J. Anzai, and T. Matsumoto 



8 Evaluation 

First, we compare our scheme with the previous scheme using a simple binary 
balanced tree which was proposed in [12] [13], and is recommended in RFC2627. 
Here, we suppose that the key distributor excludes only one entity, i.e., d = 1, 
k = 2. We suppose that the previous scheme uses 128 bit block cipher. Moreover, 
we suppose that our proposed scheme uses 160 bit elliptic curve cryptography 
and the symmetric cipher E(,) of which output data size is the same as input 
data size. 

Fig.l shows that the data amount (bits) transmitted by the key distributor 
of our scheme does not relay on the number of total entities n. Therefore, our 
scheme is effective to achieve a quick key distribution with the exclusion when 
n is large. On the other hand, the transmission amount in the previous scheme 
increases as the increase of n. The result of the previous scheme in Fig.l is 
derived from a table in [12]. 
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Fig. 1. Comparison of transmission amount between our scheme and the previous 
scheme. 



Fig. 2 shows that the key storage of each entity in our scheme does not relay 
on the number of total entities n. Therefore, our scheme is suitable for devices 
with a small memory. On the other hand, the key storage of the previous scheme 
increases to a large amount. 





Light Weight Broadcast Exclusion Using Secret Sharing 325 




The number of total entities n 



Fig. 2. Comparison of key storage between our scheme and the previous scheme. 

Next, we compare our scheme with Anzai-Matsuzaki-Matsumoto scheme [1] 
in Table 1. In Table 1, |p| denotes bit length of the parameter p, and so on. We 
add explanations for each of the comparison items as follows: 

The number of exponentiations: In our scheme, each entity can calculate the 
broadcast key with only two modular exponentiations regardless of n and k. 
Since 2 < k holds, our scheme is always faster and requires less computing 
power than Anzai-Matsuzaki-Matsumoto scheme. 

The amount of exclusion data: In our scheme, the key distributor broadcasts 
k exclusion data, similar to Anzai-Matsuzaki-Matsumoto scheme. The bit 
length of the exclusion data for each transmission is |g| bits, while bits 
length of Anzai-Matsuzaki-Matsumoto scheme is \p\ bits. Therefore, the to- 
tal amount of transmission data in our scheme can be reduced from Anzai- 
Matsuzaki-Matsumoto scheme (where the exclusion data has \p\ bits) when 
IpI > l^l (e.g., over a prime field Zp). 

The key storage of each entity: Our scheme requires each entity to store a small 
fixed amount of secret key, regardless of n and k. Though the storage size of 
our scheme is slightly more than one of Anzai-Matsuzaki-Matsumoto scheme, 
it can be reduced using an elliptic curve cryptography. 

Who can decide the excluded entities: Anzai-Matsuzaki-Matsumoto scheme en- 
ables any entity to exclude any entity. On the other hand, only a key dis- 
tributor can make the broadcast exclusion in our scheme. We consider that 
this assumption is reasonable in some actual applications. 
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Table 1. Comparison between our scheme and Anzai-Matsuzaki-Matsumoto scheme. 



Gomparison Items 


Our proposed scheme 


Anzai-Matsuzaki-Matsumoto 

scheme 


The number of 
exponentiations (times) 


2 


fc -I- 1 


The amount of 
exclusion data (bits) 


k X |<j| 


k X IpI 


The key storage of 
each entity (bits) 


\p\ + kl 


kl 


Who can decide 
the excluded entities 


Only key distributor 


Any entity 



9 Conclusion 

In this paper, we have proposed a scheme for the broadcast exclusion, in which 
each entity computes the broadcast key with two modular exponentiations. This 
allows devices with low computing power such as a telecommunications terminal 
or a smart card to obtain the broadcast key in a reasonable time. 
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Abstract. The commonly used technique for cheating detection requi- 
res that extra information be given to each participant. However, in a 
secret sharing scheme when the size of shares increases the security of the 
system degrades. In this paper we study the cheating problem in Shamir’s 
scheme (in the sense of Tompa and Woll [1] attack) and present alter- 
native solutions to this problem. First we consider cheating prevention 
via longer shares. Next we introduce redundant secret sharing schemes 
and show how they can be used for cheating prevention. Nonlinear secret 
sharing offers also some protection against cheaters. The work concludes 
with a discussion about a combined approach. 



1 Introduction 

Since its invention, secret sharing has become an indispensable tool for group 
cryptography. The concept of secret sharing was independently formulated by 
Blakley [3], Chaum [4] and Shamir [5]. Secret sharing is set up by a trusted party 
also called the dealer. Knowing a secret, the dealer creates shares of the secret 
and distributes them to the participants (also called shareholders). After that 
the dealer disappears and the secret is collectively held by the group. To recover 
the secret, a big enough collection of participants pools their shares together and 
recreates the secret. The recovery of the secret can be done collectively when all 
active participants reveal their shares to each other or the participants delegate 
a trusted party called the combiner. 

Unfortunately, the recovery of the secret can be easily corrupted by a disho- 
nest participant who pools a modified share (instead of the original) . The secret 
recovered by the combiner is obviously different from the original but the disho- 
nest participant can compute the original secret, leaving other honest principals 
with an invalid secret. This way of cheating was discussed by Tompa and Woll 
[1]. Also they suggested a method to prevent the cheating. Since that time, there 
has been a considerable effort to investigate ways of cheating prevention. 
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2 Previous Works 

Cheating prevention can be considered in either unconditionally or conditionally 
secure secret sharing. In unconditionally secure secret sharing, cheaters are iden- 
tified by the combiner by checking the validity of their shares. It is assumed that 
once all shares have passed through validation, the recovered secret must be 
valid as well. Rabin and Ben-Or [9] showed how to validate shares by checking 
whether or not they satisfy a system of linear equations. Carpentieri [10] de- 
monstrated a similar scheme but with shorter shares. The cheating prevention 
method suggested by Tompa and Woll [1] takes away the ability of a dishonest 
participant to calculate the valid secret from the invalid one. One straightfor- 
ward solution to the problem of cheating is to have the trusted dealer sign each 
share prior to handing it out to a participant. Hence, a dishonest participant will 
be detected in the secret reconstruction phase. However, as pointed out in [1], all 
currently known signature schemes are conditionally secure, whereas the secret 
sharing scheme under investigation (the Shamir scheme) is an unconditionally 
secure scheme. 

In conditionally secure secret sharing, there are two related problems which 
have been addressed: (non-interactive) share verification and secret verification. 
Feldman [6] suggested a solution for the Shamir scheme. While setting up the 
scheme, the dealer announces check values (/“* where are co-efficients of the 
Shamir polynomial f{x) = ao+aix+. . . , at-ix*~^ and is a primitive element of 
the cyclic group in GF(p). The prime p must be large enough so the instances of 
the discrete logarithm problem are intractable. Pedersen [7] designed a verifiable 
secret sharing based on a commitment scheme which follows Feldman’s idea of 
public check values. The public checks can be used in two different circumstances 
when participants want to verify the validity of their shares obtained from the 
dealer or when the combiner wishes to verify the shares. A class of publicly 
verifiable secret sharing was introduced by Stabler in [8]. 

This work is structured as follows. The next Section describes basic defini- 
tions and notions used in secret sharing together with the Tompa- Woll (T-W) 
attack. Section 4 investigates the cheating success when shares given to parti- 
cipants are lengthened. Applicability of redundant secret sharing is studied in 
Section 5. Section 6 defines nonlinear secret sharing and examines its cheating 
prevention characteristics. The work is closed by Section 7 which discusses joint 
application of previously described cheating prevention methods. 

3 Basic Concepts of Secret Sharing 

In secret sharing, the basic active entity is a group V of n participants V = 
{Pi , . . . , Pn} who collectively holds a secret. The access structure P of the group 
P is the collection of all subsets who are authorized to jointly recover the secret. 
A (t, n) threshold scheme allows the secret to be recovered if the currently active 
subgroup A GV consists of t or more participants, or 



r = {A\#A>t} 
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where means the cardinality of A. Secret sharing includes two generic algo- 
rithms 



1. the dealer which sets up the scheme, i.e. takes a secret to be shared and splits 
it into shares which are securely conveyed to participants, 

2. the combiner which reconstructs the secret. A currently active participants 
from the group A send their shares via secure channels. The combiner is al- 
ways successful if the currently active group A belongs to the access structure 
r. Otherwise if A ^ T, it fails with an overwhelming probability. 

A secret sharing is called perfect if any unauthorized sub-group of participants 
cannot learn anything about the secret. More precisely 



H{K \Air) = H{K) 



where H{K) is the entropy of the secret K. Clearly, H{K | A G T) = 0. A 
perfect secret sharing is called ideal if the size of shares is equal to the size of 
the secret. 

The Shamir (t,n) threshold scheme is based on polynomial interpolation. 
Given t points on the two-dimensional plane (xi,yi), . . . , (xt,yt) with distinct 
xfs, there is the unique polynomial f{x) of degree at most t — 1 such that 
yi = f(xi) for all i. The Lagrange interpolation allows the recreation of the 
polynomial using the following expression 



f{x ) = 

i=l 3=1 



( 1 ) 



Let the secret be an element of a finite field, that is, K G GF{p), where p is 
a prime. 

Dealer 



1. chooses n distinct and non-zero elements of Zp, denoted xi, ... ,x„ and pu- 
blishes them together with the assignment of Xi to each Pi. 

2. secretly picks up (independently at random) t — 1 elements of Zp, denoted 
Oi, . . . , Oi_i and forms the polynomial 



t-i 

f{x) = K + y^aix\ 

i^l 

3. For 1 < i < n, computes si such that 

s% = f{xi) (modp). 

4. gives (in private) share Si to participant Pi. 
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Combiner 

1. Every collection of at least t participants can apply the Lagrange interpo- 
lation and reconstruct the polynomial f{x) and hence recover the secret 
K = /(O). An alternative method of secret reconstruction may use a system 
of linear equations for which the unknown K is sought. 

It is well-known that the Shamir scheme is perfect. That is, the probability 
of an unauthorized set of participants being able to determine the secret is no 
better than that of an outsider, and therefore is no better than guessing the 
secret. It is also clear that Shamir’s scheme is ideal, that is, the length of the 
share assigned to each participant is the same as the length of the secret. 



3.1 Tompa-Woll Attack on Shamir Schemes 

Tompa and Woll [1] discovered a way dishonest participants can cheat when using 
the (t,n) Shamir secret sharing based on the polynomial f{x). Each participant 
holds her share Si = f{xi) and Xi is public; i = 1, . . . ,n. Without the loss of 
generality, assume that the currently active sub-group is A — {Pi, Pt}. Let 
the collection C = {Pi,...,P^} be cheaters who collectively wish to fool the 
other active participants (clearly C C A). If the cheaters know the currently 
active sub-group (note that this is an important assumption), then they can 
collectively define a random polynomial A(x) such that 



A{xi) 



0 for P, G A \ C 
5i for Pi € C 



where Si are chosen by C. We assume that A(0) yf 0. At the pooling time, 
honest participants submit their shares Si, i = £ + I, . . . ,t while cheaters give 
Si+Si- The combiner uses the Lagrange interpolation and recovers the polynomial 
f{x) + A{x) and announces the wrong secret K' = /(O) -I- A(0). The cheaters 
know the polynomial A(x) and the value A(0) so they can recover the secret 
A = /(0) = A'-A(O). 

The polynomial A{x) is likely to be of degree t — 1 if the cheaters select their 
Si at random. The other extreme is the deterministic option when 

t 

A'{x) = n (a: - Xi) 

i=i+l 



of degree t — £. The values of Si = A'{xi) for i = 1, ... ,£. This option may not 
be preferred by cheaters as the value A'(0) is public and honest participants are 
likely to try it after a corrupted key recovery. Note that a better option for chea- 
ters is to generate one S at random, say (5i, and use the Lagrange interpolation 
to the points ((a;i, 5i), (xe+i,0 ), . . . , {xt, 0)). The resulting polynomial A{x) is of 
degree t — i+1 and the value A(0) is known to the cheaters only (the uncertainty 
of the A(0) and the secret are the same). 
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Tompa and Woll observed that if the co-ordinates Xi are kept secret, then 
the cheaters cannot design the requested A{x) polynomial. So they suggest to 
select XiS uniformly and randomly from all possible values in GF(p), where the 
prime module p is 



p > max{{\lC\ — l)(t — 1) / e + t,n). 



The share of participant Pi is a pair {xi, f{xi)). They have shown that with this 
modification to the Shamir scheme, the possibility of successful (undetectable) 
cheating is less than £ (e > 0) . The mechanism for cheating detection is that not 
every element of GF{p) is now a legal secret. Hence, the probability of cheating 
and recovering one of the |/C| — 1 legal but incorrect secret is less than e. 

Although cheaters are detected with high probability, they can obtain the 
secret while the other participants gain no information about the secret. In order 
to avoid this undesirable situation, the dealer sets up a sequence of schemes such 
that only one of them is associated with the secret K and the other ones are 
associated with an illegal secret, S £ GF{p)—IC {S is known to all participants). 
In secret construction phase, when t participants agree to pool their shares, they 
reconstruct the secrets one at a time, until the recovered secret is not S. This 
terminates the protocol. If the reconstructed secret is not legal, then cheating 
has occurred. 

Carpentieri, Santis, and Vacaro [2] considered the cheating problem in the 
sense of the Tompa and Woll attack and showed that the phenomenon of in- 
creasing the size of the shares is unavoidable. They demonstrated that in any 
secret sharing scheme that has probability of successful cheating less than £ > 0, 
it must give to each participant shares at least the size of the secret plus log ^ . 
Note that the size of shares, log |si|, in Tompa and Woll’s scheme is 



2 log 



(|/C|-l)(t-l) 



+ t] < log|sj| < 21og 



(|/C|-l)(t-l) 



t ] +1. 



4 Cheating Prevention via Longer Shares 

Tompa and Woll’s attack works because for every set of t points (a;i, j/i), . . . , 
{xtiDt) with distinct XiS there is a unique polynomial f{x) of degree at most 
t — 1 such that Ui = f{xi) for all i. That is, every set of t such values can be 
selected randomly and independently (if the secret is not given and fixed) . Since 
the cooperating participants cannot verify the validity of the secret they have to 
accept it. However, the correctness of the secret can be verified if an extra share 
of the original secret is available. So if a cheater modifies her share, there is a high 
probability that the resulting polynomial will not pass through points of honest 
participants (if those points were not used in the Lagrange approximation). So 
we can use the following mechanism for cheating detection in Shamir’s scheme. 

Lemma 1. In a (t,n) Shamir scheme, ift+1 participants cooperate in the secret 
reconstruction phase then the probability of successful Tompa-Woll attack is A 
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Proof. If there is cheating in the system, then ti points are independent and 
random. Therefore, with high probability, they will reconstruct a polynomial of 
degree t, which determines cheating. The probability of recovering a polynomial 
of degree t — 1 is equivalent to the probability of constructing Shamir (t + 1, n) 
scheme and having a polynomial with degree less than t (which is equal to ^). 

Note that this mechanism may not be applicable if an extra share (partici- 
pant) is not available (for example, in a (n, n) scheme). However, this is not the 
case with cheating detection schemes, in which the system allows every partici- 
pant to be given extra information. In the following we show how this mechanism 
can be used to solve the cheating problem in the Shamir threshold scheme. 

Let p be large enough such that the dealer can generate the desirable number 
of shares. The number of shares, as we will see shortly, depends on the required 
probability for cheating detection. 

Dealer 

— chooses 2n distinct and non-zero elements of Zp, denoted xi, . . . ,X 2 n and 
sends Xi,X 2 i to Pi via a public channel. 

— secretly selects (independently at random) 2t — 2 elements of Zp, denoted 
oi, . . . , 02 t -2 and forms the polynomial 

2i-2 

f{x) = K+Y^ a,x\ 

— for 1 < i < 2n, computes where 

St = f{xi) (modp). 

— gives (in private) shares Si and S 2 i to participant Pi. 

That is, the dealer constructs a {2t — l,2n) Shamir’s scheme. Hence, in the 
secret reconstruction phase, every set of at least t participants (since each partici- 
pant has two shares) can apply the Lagrange interpolation formula to reconstruct 
the polynomial and hence to recover the secret. 

When t participants collaborate, they know 2t shares. However, 2t—l shares 
is sufficient to reconstruct the original polynomial. If there is cheating then with 
the probability the extra shares will be satisfied with the constructed poly- 
nomial. That is, no matter how many cheaters are in the group, the probability 
of successful cheating is ^ . 

If we want to decrease the probability of successful cheating then the dealer 
constructs a (qt — {q — l),qn) Shamir scheme and sends the shares to corre- 
sponding participants. That is, participant Pi receives the tuple (sj, S 2 i , . • . , Sqi), 
where shares are generated as in the original Shamir scheme. Similar to the above 
scheme, clearly, every t participant can cooperate in order to recover the secret. 
If every participant contributes with q shares and the resulting polynomial is of 
degree qt— {q — 2) then, with probability there is no cheating in the system. 
Otherwise, the scheme detects cheating. 
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It is easy to see that for any extra share given to each participant the pro- 
bability of successful cheating is decreased by However, the size of the shares 
in this scheme is logp. That is, in order to have the probability of successful 
cheating less than ^ we give each participant his share plus extra shares of size 
logp. Thus, our scheme meets the best theoretical result given in [2]. 

An alternative method is to increase the size of p (this is also necessary if p is 
not large enough so that the dealer can generate as many shares as he wishes). 
If we want to give each participant q extra shares the probability of successful 
cheating is The prime module p > qt is sufficient to construct such a 

system. 

The construction of the scheme and the probability of cheating detection is 
similar to the case discussed before. Note that although now the size of each 
share is slightly larger than the secret, the probability of cheating is smaller 
than what we have discussed in the previous scheme. 

5 Cheating Protection via Rednndant Secret Sharing 

We explore how the idea of “hiding” the secret sharing among other secret 
sharing, can be used for both cheating detection and cheater identification. 

Given two secret sharing schemes and S2 with their corresponding access 
structures A and A, respectively, and A, A C P. Secret sharing A holds the 
secret A, * = 1>2. The Cartesian product of A and A is a scheme denoted as 
S' = A X A which holds the secret K = {Ki,K 2 ). Given active group A of 
participants. The secret key K can be recovered only if A S A H A- Glearly 
partial secret A can be recovered if A G A- The secret is unknown if A ^ A 
and A ^ A • 

Given two Shamir secret sharing schemes Si, S2 where Si is a (ti, n) threshold 
scheme based on the polynomial fi{x) over GF{pi), i = 1,2. Then S = (Si,S2) 
is a secret sharing with the pair of polynomials (/i(x), /2(x)). The secret is 
K = (A7 A)- Two secret sharings are independent if they were generated in- 
dependently of each other. 

Lemma 2. Given a secret sharing 8=81x82 where Si and 82 are independent 
Shamir secret sharing schemes defined as above. Then the scheme 8 is 

— ideal and perfect if and only ift\ = t2, 

— is a ramp scheme {t\,t2,n) for ti < A and 

— is a ramp scheme {t2,t\,n) for A <ti. 

The proof is obvious and skipped. The definition of the ramp scheme can be 
found in [11]. 

Now we are ready to define our first scheme. Given two independent Shamir 
secret sharing schemes Si and S2. Si is based on a polynomial f{x) and 82 is 
based on - g{x). Both polynomials are computed over GF{p). 

Dealer. Given secret K G GF{p) to be collectively held by the group P. The 
dealer sets up a Shamir scheme Si for the secret with the polynomials f{x) of 
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degree precisely {t— 1). Next the dealer sets up S 2 over GF{p) with a polynomial 
g{x) of degree precisely {£ — 1) for a random secret k. Shares Sj = (ai,/3i) = 
{f{xi),g{xi)) are secretly communicated to participants. 

Combiner. Assume that the active group is A = {Pi, . . . ,Pt}. The members 
of A submit their shares to the combiner via secure channels. The combiner 
recreates both polynomials f{x) and g{x) using the Lagrange interpolation. Now 
it tests the degree of polynomials and identifies f{x) and returns the secret 
K = /(O) to active participants via secure channels. 

The scheme has the following properties: 

— is not perfect (the degree of f{x) must be t — 1 so any collection of {t — 1) 
principals is able to exclude a single value from the range of possibilities for 
the secret), 

~ is not ideal (the share is twice as long as is necessary). 

The ability for cheating prevention is discussed by the following lemma. 

Lemma 3. Given a secret sharing S which is a Cartesian product of two Shamir 
schemes based on {f{x),g{x)) defined as above. Then the combiner can detect 
T-W cheating with the probability | of any coalition of cheaters C = {Pi , . . . , Pi} 
only if £ < . 

Proof. The cheaters can pool together their shares and they are unable to iden- 
tify shares as both collections are statistically indistinguishable. The cheating 
can only be detected if the minimal required degree of A(x) is bigger than the 
degree of g{x). The minimal degree is t — £ and at the same time the degree of 
g{x) = £ — 1 so solving t — £ > £ — 1 gives us the requested condition on £. If £ 
is bigger then the degrees of both A{x) and g{x) can be of the same degree and 
the cheaters can successfully launch the T-W attack. 

If £ < Ltl ^ the cheaters have three possibilities: 

— not to cheat; in this case the combiner will work correctly, 

— apply the T-W attack to one polynomial. If they have targeted f{x), they 
succeed. Otherwise, if g{x) is modified then the combiner will recover g(x) + 
Z\(x). From our previous considerations, we know that the degree of A(x) 
must be at least t — £ so consequently the degree of g{x) + A{x) is also t — £ 
and this fact will be detected by the combiner. 

— apply the T-W attack to both polynomials. This time the modification of 
g{x) will always be detected. It is reasonable to assume that the cheaters 
will disregard this option. 

So the conclusion follows. 4 



Corollary 1. The above scheme based on {f{x),g{x)) allows cheaters to be iden- 
tified if £ < and £ < t — £ with the probability | . 
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Proof. Once the coalition C of cheaters have modified g{x), the combiner knows 
£ corrupted shares and £ + u correct ones rt > 1 and t = 2£ + u. Knowing 

that g{x) is of degree £ — 1, the combiner may try to enumerate all possible 

polynomials. Among them, there must be a cluster of £+u repetitions identifying 
uncorrupted shares (and participants). 4|k 

The discussed cheating prevention gives a relatively high probability of suc- 
cess to cheaters. To reduce the probability of success, we can use many controlled 
secret sharings. Given our secret sharing Si with the polynomial f(x) and the 
secret K = /(O). We design a sequence of Shamir schemes S' 2 , . . . , S'r each based 
on the corresponding polynomial gi{x); i = 2,...,r. All secret sharing sche- 
mes are constructed over the same GF{p). Now we build the Cartesian product 

5 = Si X ■ ■ ■ X Sr- Clearly, if we make the previous assumption as to the size I 
of coalition of cheaters, then the scheme S allows cheaters to be detected and 
identified with the probability 1 — 

6 Nonlinear Secret Sharing 

Obviously, the T-W attack works because the Shamir scheme is linear. A way 
to prevent this could be an introduction of secret sharing which is nonlinear. 

Given a group V of n participants. Assume that we have already a Shamir 
secret sharing based on a polynomial f{x) G GF{p^) which allows any t to 
recover the secret K = /(O). Note that the polynomial f{x) can be treated as 
an element of GF(jf). We would like to apply a nonlinear permutation U : 
GF{p*) — >• GF{p*) on the element f{x). We have the following possibilities 

— to choose a random permutation, 

— to design a nonlinear permutation. 

We assume that we choose a random permutation iT. The permutation is public. 
The randomized Shamir scheme is defined as follows. 

Dealer sets up the scheme and 

— designs a (t,n) Shamir scheme with the polynomial f{x) G GF{p*), 

— computes F{x) = II{f{x)) in GF{p*). 

— distributes via secure channel shares Si = F{xi) to participants. Each parti- 
cipant holds her pair {xi,Si). Shares Si are private while Xi are public. 

Combiner is activated by a sub-group of t participants and 

— collects t shares from participants, 

— computes the polynomial F{x) using Lagrange interpolation, 

— recovers the Shamir polynomial f{x) = F£~^{F{x)) in GF{p^) and the secret 
K = f{0), 

— the secret K G GF{p) is communicated privately to all active participants. 
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Consider the group V collectively knows the polynomial F{x) G GF{p*). 
Note that in (t, n) threshold scheme, any collection of t participant holds the 
unique polynomial F{x). Any (t — 1) participants, say {Pi, . . . hold a set 

P of p different polynomials among which there is the correct one F{x) where 

^ = {g{x)\g{x{) = l,g{xt) G GF{p)}. 



Lemma 4. The randomized secret sharing is perfect only if the set 

{giOMx) G n-\F)} 

is of cardinality p (consists of all different elements) for any active set of (t — 1) 
participants. 

The proof is obvious. Note that for a random FI , perfectness is a rare event as 
it requires that for all polynomials from T their preimages are polynomials with 
different constants. 

6.1 Modified Tompa-Woll Attack 

We are going to describe a version for (t — 1) cheaters. The general case of the 
attack can be easily derived. Assume that the set of currently active participants 
is A = {Pi, . . . , Ft} with the coalition of cheaters C = {Pi, . . . , Pt_i}. The attack 
works for unconditional setting where the attackers have unlimited computing 
resources. The attack progresses as follows. 

— Cheaters collectively decide on a polynomial A{x) G GF{p*) such that 
A{xt) = 0 (A{x) yf F{x). 

— Shares of cheaters (generated from the polynomial A(x)) are submitted to 
the combiner. The honest participant P* submits her share St. 

— The combiner takes all shares and recovers a polynomial g'{x), transforms 
it f'{x) = n~^{g'{x)) and returns the constant K' = /'(O). 

— Cheaters now exhaustively search through all polynomials from the set 

^ = {g{x)\g{xi) = Si]i = l,...,t- l,g{xt) G GF{p)}, 
find the set and its subset 

g{K') = {g{x)\g{x) G iT"^(P) and g(0) = K'}. 

— The cheaters may now determine a set of elements 

= {g(xt)lg(x) G h7(g)} 

The set St must include the share of the honest participant Ft- 

— For each element from St, the cheaters can compute the all possibilities for 
the true secret K. 
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To maximize the chance of success, the cheaters can run through all possible 
sets defined by vectors (oi, . . . , at-i); Oj € GF{p) 

F{ai, . . .,at-i) = {g{x)\g{xi) = Oi; t = 1, . . . , t - 1 and g(xt) G GF{p)}. 

The set F[~^{F{ai, . . . ,at-i)) can be split into subsets G{k) = {g{x)\g{x) G 
n~^{F) and 5 ( 0 ) = k} where k G GF{p). The cardinality of the biggest subset 
G{k) gives the lower bound on the probability of a successful cheating. 

It is interesting to observe that to get the randomized secret sharing perfect, 
one needs to make sure that the random permutation 77“^ translates in a one- 
to-one fashion constants in candidates for f{x) into constants of candidates for 
F{x). This is apparently at odds with the requirements for the scheme to be 
resistant against the T-W attack. Is it possible to find a compromise in which 
perfectness is traded off with the resistance against the T-W attack ? 



6.2 Unconditional Security 

It should be clear by now that if the secret sharing is to be used in the uncondi- 
tionally secure setting, then random selection of the permutation 77 is not a very 
good idea. It is desirable to select 77 very carefully, perhaps, using combinatorial 
structures whose properties are well known. What properties are to be required 
from a “well designed” permutation 77 ? 

Let us enumerate the ones we have identified so far. 

1. 77 is a permutation over GF{p^). 

2. For an arbitrary polynomial A{x), the preimage of the set T = {g{x)\g{x) = 
A{x) -I- a; a G GF{p)} or 

should have polynomials with the same constants. Note that if U~^{F) con- 
tains polynomials with all different constants the cheaters will always suc- 
ceed. The scheme is then perfect. 



6.3 Conditional Security 

These considerations are valid if the secret belongs to a large space so the chea- 
ters cannot exhaustively search the space. Encryption algorithms provide a suf- 
ficiently large collection of permutations conveniently indexed by their (private 
or public) keys. Given a private-key encryption algorithm such as DES, then 
one can design permutations whose input/output size is a multiple of the block 
size of the algorithm (using the classical permutation-substitution network). The 
T-W attack will proceed as before with the important difference that cheaters 
will be able to find preimages of Z\ -I- a where a belongs to a small subset whose 
size is related to the computational power of cheaters. If the combiner returns 
a fake secret then the cheaters may succeed with some probability proportional 
to the size of the subset. 
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Consider the case when the permutation is a public key encryption. Given a 
generic public-key cryptosystem with two algorithms: public encryption E and 
private decryption D. Both are permutations (such as the RSA). A (t,n) secret 
sharing based on E, D is defined below. 

Dealer 

~ constructs a Shamir scheme with polynomial f{x) € GF{p*), 

— builds an instance of public key cryptosystem with two algorithms E, D. 
Note that the message/cryptogram domain must be a superset of GE{p*). 
Publishes E algorithm, 

— converts f{x) into E{x) or 

E{x) = D{f{x)) G GE(q^) 



where q > p, 

— generates shares Si = F{xi) and distributes secretly to participants. 

— dies (and forgets the decryption algorithm). 

Combiner 

— accepts shares from active participants. Having received at least t, it is able 
to recover F{x)s, 

— uses the public encryption algorithm to obtain f{x) = E{F{x)), 

— returns K = /(O) to all active participants via secure channels. 

Theorem 1. Given the above defined secret sharing with the slight modification 
that the combiner returns the recovered polynomial f{x) instead of K = /(O). A 
collection of ft — 1) cheaters can fool the honest participant if and only if finding 
the private decryption algorithm is “easy”. 

Proof. (Sketch) We are going to show how the (private) decryption algorithm 
can be constructed from an algorithm G which is used by the successful cheaters. 
The C algorithm is a probabilistic one which accepts that a random polynomial 
A{x) (A(x) is also denoted by A if we treat it as an integer) and f'{x) (or /' for 
short) and exits the share of the honest participant (or equivalently the secret). 

Given a cryptogram c = Efm) where m is the message. Note that the en- 
cryption algorithm can be seen as the trusted combiner who takes the random A 
and the secret share of the honest participant m — A and returns the prescribed 
c = Efm). Now we use the algorithm G. We input A and c to it and collect 
the share of the honest participant which is m — A. This obviously allows the 
encryption algorithm to be reversed. This establishes the equivalence of the two 
security aspects. 4 

7 Combined Approach 



Separate applications of Gartesian products and nonlinear secret sharing offer 
some benefits but certainly, the application of the two measures jointly may 
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offer far better protection against cheaters. Our exposition is simplified as we 
are going to use a single redundant secret sharing as the generalization is trivial 
(but unnecessarily complicated). Clearly, the secret sharing allows any t out of 
n to recover the secret. 

Dealer 

— designs a pair of (t, n) Shamir schemes with the underlying polynomials 
f{x),g{x) G GF{p*) where the secret is K = /(O) and g{x) is the redundant 
polynomial which can be easily identified by the combiner How ? This will 
be discussed later. 

— selects a publicly accessible permutation II : GF{p‘^*) — >• GF{p^*-) and com- 
putes F{x) = n{f{x),g{x)) where {f{x),g{x)) G GF{p^*) is a concatenation 
of the two polynomials, 

— secretly distributes shares Si = F{xi). Note that selection of x co-ordinates 
for polynomials /, g and F is public and it is reasonable to assume that Xi 
used for polynomials /, g and F are identical. 

Combiner 

— calls for shares and having t of them, recovers F{x), 

— applies the inverse permutation II~^{F{x)) and retrieves {f{x),g{x)), 

— identifies which polynomial is redundant and returns the secret K = /(O). 
If the identification fails, the combiner aborts. 

This time selection of linear permutation 77 is an option. Note that the 
coalition of t — 1 cheaters does not know the share of the honest participant 
which is twice the length of the secret. So their uncertainty about shares of the 
honest participants equals H = log 2 p^ ■ After getting the secret recovered by the 
combiner, the cheaters reduce their uncertainty to 77 = log 2 P which is equal to 
the entropy of the secret. 

One of the steps for the combiner is the identification of the redundant po- 
lynomial which gets rejected. Let us enumerate some of the options. The poly- 
nomial g(x) can be 

— fixed and publicly known (a single element from GF(j/)), 

— selected at random from all polynomials which contain t — ^ public points 
(the space of such polynomials is of cardinality p^). li £ = t there are no 
public points and identification is impossible, 

— chosen at random where g(0) = h{K) where the function h is publicly ac- 
cessible 

Note that redundant g{x) makes cheating slip through unnoticed while the fixed 
g{x) enables the cheaters to extract more information about the secret (after 
getting the reply from the combiner). 
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Abstract. As known, multiplicative secret sharing schemes over Abe- 
lian groups play an important role in threshold cryptography, such as 
in threshold RSA signature schemes. In this paper we present a new 
approach for constructing multiplicative threshold schemes over hnite 
Abelian groups, which generalises a scheme proposed by Blackburn, Bur- 
mester, Desmedt and Wild in Eurocrypt’96. Our method is based on a 
notion of multiple perfect hash families, which we introduce in this pa- 
per. We also give several constructions for multiple perfect hash families 
from resolvable BIBD, difference matrix and error-correcting code. 



1 Introduction 

A secret sharing scheme is a method of protecting a secret among a group of 
participants in such a way that only certain specified subsets of the participants 
(those belonging to the access structure) can reconstruct the secret. Secret sha- 
ring schemes were first proposed for cryptographic applications, where they can 
be used as information security primitives for the distribution of trust between 
a number of entities. In most applications the secret is a highly sensitive piece 
of data, and the secret sharing scheme is used to control access to this data by 
requiring certain groups of entities to cooperate in order to retrieve the data. 
Example applications include controlling access to a bank vault (the participants 
are bank managerial staff and the secret is the vault combination), installation of 
high level cryptographic master keys (the participants are senior system mangers 
and the secret is the master key), and enabling a nuclear missile (the participants 
are presidents and generals, and the secret is the launch code). 

A secret sharing scheme is normally initialised by an external trusted dealer 
who securely transfers a piece of information relating to the secret, called a 
share, to each participant in the scheme. A {t,n)~ threshold scheme is a secret 
sharing scheme where the access structure consists of all subsets of at least t 
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(out of a total of n) [6,15]. Secret sharing schemes, and in particular threshold 
schemes, have become an indispensable basic cryptographic tool in any security 
environment where active entities are groups rather than individuals [9]. In this 
paper we consider (t, n) secret sharing schemes over the Abelian groups with an 
additional property: multiplicative. Multiplicative secret sharing schemes over 
Abelian groups were introduced by Desmedt et al in [11,10], mainly based on the 
need for designing threshold cryptosystems, as a generalisation of homomorphic 
secret sharing schemes [3]. For example, multiplicative secret sharing schemes 
over Z^( jv) > where N is the product of two distinct primes, play a crucial role in 
RSA threshold decryption and signature schemes (see [11], [10], [5]). 

The goal of this paper is to extend the multiplicative secret sharing scheme 
proposed by Blackburn, Burmester, Desmedt and Wild in Eurocrypt’96 ([5]). 
Blackburn et al scheme is based on a recursive construction from multiple mul- 
tiplicative secret sharing schemes, and implicitly applies a perfect hash family 
(the explicit connections with perfect hash families are due to Kurosawa and 
Stinson, see [4]). However, their construction requires the execution of indepen- 
dent and multiple rounds of secret sharing schemes with the same secret, this 
might be difficult or impossible in some cryptographic settings, such as MTA- 
free environment [13]. By introducing multiple prefect hash families, we present 
a new method of constructing multiplicative secret sharing schemes over finite 
Abelian groups. Our construction differentiates from Blackburn et al scheme in 
that the secrets for the multiple-round secret sharing schemes can be different or 
even independent. We also give several constructions for multiple perfect hash 
families-mainly combinatorial in nature-from resolvable BIBD, different matrix 
and error-correcting code. 

The paper is organised as follows. In Section 2 we give the basic definition 
of secret sharing scheme and multiplicative secret sharing scheme. In section 3, 
we review the previous results. In Section 4, we introduce the notion of multiple 
perfect hash family and present our new construction. We give several construc- 
tions for multiple perfect hash families in Section 5 and conclude the paper in 
Section 6. 

2 Preliminaries 

Let V = {Pi, . . . , Pn} be a group of n participants, S denote the set of secrets, 
and assume the share of Pi is selected from the set Si. A {t, n)-threshold scheme 
is a pair of algorithms: the dealer algorithm and the combiner algorithm. For a 
secret from S, the dealer algorithm applies the mapping 

T> : S ^ Si X ... X Sn 

to assign shares to participants in P. The combiner algorithm takes the shares 
of a subset ACP of participants and returns either the secret, if the set A C P 
and |A| > t, or it fails. 

C: U {5J-4 5|J{/at;}. 

PiGA 
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The classic example of a {t,n) secret sharing scheme is Shamir’s scheme [15], 
which uses Lagrange interpolation on the polynomials over finite fields. It has 
S — Si = GF{q) and works as follows. To construct a {t,n) threshold scheme 
(n < q) protecting s € S, choose n distinct non-zero values xi, . . . ,Xn € GF{q) 
and define V as 

V{s) = {f{xi),...,f{xn)), 

where f{xi) = s -I- riXi + r^x^ H — • -I- rt-\x*'~^ and ri, . . . , rt-i are t — 1 random 
values from GF{q). The values Xi are made public {xi is associated with Pi). The 
function C takes as input at least t valid shares and uses Lagrange interpolation 
formula to compute f{x) as 



/(a;) = E n 7 ^. 

iGB ^ * 



xj) 

Xj) 



where B C {1, . . . , n} and \B\ = t, hence reconstructing the secret s = /(O). 

In a multiplicative threshold secret sharing schemes over groups [11], [10], 
the key space 5 is a finite group with respect to the operation and for any 
t distinct participants Pi, i G B, where B = {ti, i 2 , . . . , z*} C {1,2,..., n}, there 
exists a family fi^^B, ■ ■ ■ , /u.s of functions from Si^,. . . ,Si^ to S, respectively, 
and a public ordering zi, . . . , z* of elements of B with the following property. For 
any key s G S and shares , . . . , Si^ that have been distributed to Pi,i G B hy 
the dealer algorithm T> on input s, we may express s as: 



S = fii,B{Sii) *■■■* 



A multiplicative scheme is homomorphic if the share set Si has also a group 
structure and the function s is a group homomorphism from Si to S, for all z 
and B. Shamir’s scheme over the finite field is a homomorphic scheme, where 
fie.sisij is defined by 



fie.siSii) 






ix^t -Xj)' 



3 Previous Results 

To our best knowledge, the first work that explicitly studied multiplicative secret 
sharing scheme was due to Desmedt and Frankel [11] . The basic idea behind their 
constructions is to generalise Shamir’s (t, n) threshold secret sharing scheme over 
finite fields to finite Abelian groups and extend Lagrange polynomial interpola- 
tion over finite fields to modules over rings. The shortcoming of Desmedt-Frankel 
(t, n) multiplicative secret sharing scheme is that the size of share for each par- 
ticipant is at least n times of that of the secret, thus it could result in very 
inefficient scheme for the large group. For details of this approach we refer to 
[ 11 ]. 

The second approach to multiplicative threshold schemes, due to Blackburn, 
Burmester, Desmedt and Wild [5] was to recursively execute multiple (t, m) 
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threshold schemes to build a (t, n) scheme with n > m. The explicit connection 
of perfect hash family and their construction was later observed by Kurosawa 
and Stinson, and further developed by Blackburn in [4]. Since the goal of this 
paper is to extend Blackburn et al scheme, in the remainder of this section we 
briefly review their scheme. 

3.1 Blackburn-Burmester-Desmedt-Wild Scheme 

We briefly review the definition and basic results on perfect hash family before 
we describe Blackburn-Burmester-Desmedt-Wild scheme. 

A (n, TO, w)-perfect hash family is a set of functions T such that 

f ,n} — )> {1,...,to} 

for each f G iF, and for any X C {1, . . . ,n} such that |A| = w, there exists 
at least a function in T such that is an injection on X, i.e. the re- 
striction of on X is one-to-one. For a subset X, if the restriction of a fun- 
ction / on A is one-to-one, then we call / perfect on X. We will use the not- 
ation PHF{N;n,m,w) for a {n,m,w) perfect hash family with \T\ = N. Let 
N(n,m,w) denote the minimum value N such that a PHF(N;n,m,w) exists. 
We will be interested in the problem how small can N{n,m,w) be for given 
n,m and w. In particular, we are interested in the behaviour of N(n,m,w) as 
a function of n, when to and w are fixed. From [14], we know that for fixed to 
and w, N{n,m,w) is Oflogn). 

Perfect hash family originally arose as part of compiler design-see Mehlhorn 
[14] for a summary of the early results in this area. They have applications to 
operating system, language translation system, hypertext, hypermedia, file ma- 
nagers, and information retrieval system-see Czech, Havas and Majewski [7] for 
the survey of recent results. They have also been applied to cryptography, for 
example in broadcast encryption [12], in secret sharing [5], threshold cryptogra- 
phy [4,9]. 

The idea behind Blackburn et al construction is to combine multiple threshold 
schemes (for a small number of participants) and a perfect hash family to obtain 
a new threshold scheme for larger number of participants. That is, if we have an 
algorithm for a (w,m) threshold scheme and a PHF(N; n, m, w), then we can 
efficiently construct a (w,n) threshold scheme. The scheme works as follows. 

1. On being given a secret s G S, executes independently the dealer algorithm 

V of (w, to) threshold schemes for a secret s with N rounds, where N is the 
total number of functions in the perfect hash family, and produce elements 
c^,. . . ,c^ € 5™, where 5o is the set of shares of the old w out of to threshold 
threshold. For each j G {1,...,A}, we write = (cij, . . . where 

Cjk G So denotes the fcth share of the jth round (w, to) secret sharing scheme. 

2. Assign n shares for a (w, n) threshold scheme with participants V = {Pi, . . . , 
P„} as follow. We write T = |/i, . . . , f^} and the share of Pi is 



(dip , . . . , di^]\[^ 
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defined by 



dij 



for all 1 < f < n and 1 < j < iV. 






We denote the old (w, m) threshold scheme as {T>o,Co) and the new (w, n) thres- 
hold scheme as {'D,TZ). Following [5], we assume that the share space of each 
participants in the old (w,m) threshold scheme are the same, the share expan- 
sion is then defined to be the rate maxi<i<„ log |5i|/log |5o|. In particular, if 
the old scheme is ideal, then the share expansion is just a reciprocity of the 
information rate as known in the theory of secret sharing. We thus know that in 
the above construction the share expansion of the new scheme to the old scheme 
is N, that is, the number of the functions in the perfect hash family. 

Theorem 1. ([5,4]) Let (Do,Cq) be a perfect {w,m) threshold scheme, and T 
is a PHF{N;n, m,w). Then {T),C) is a perfect (w,n) threshold scheme and its 
share expansion (to {T>Q,Cif)) is N. Moreover, ((I),C) is multiplicative provided 
that (2?o,Co) is multiplicative. 



4 A New Approach 

One problem with the Blackburn et al construction is that it requires to execute 
independent and multiple (w,m) secret sharing schemes with a same secret. In 
some situations (for example, in MTA-free secret sharing [13] it might be difficult 
or impossible to do so, this leads us to consider the possibility of extending their 
scheme to cater for this situation. 



4.1 Multiple Perfect Hash Families 

We first introduce the notion of multiplicative perfect hash family which is a 
straightforward generalisation of perfect hash family. We then extend Blackburn 
et al schemes based on multiple perfect hash families. 

A k — (n, m, w)-perfect hash family is a set of functions T such that 

f ,n} — )> {l,...,m} 

for each f G iF, and for any X C {1, . . . ,n} such that |A| = w, there exist at 
least k functions /{^, . . . , /^ in if such that f[^ is an injection on X, i.e. the 
restriction of f[^ on X is one-to-one, for all 1 < i < fc. For a subset X, if the 
restriction of a function / on is one-to-one, then we call / is perfect on X. 
We will use the notation k — PHF{N; n, m, w) for a A: — (n, to, w) perfect hash 
family with jjFj = N. 

4.2 The New Construction 

Our new construction is based on multiple perfect hash families and it works as 
follows. 
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1. Let T = {/i, . . . , /at} be a k—PHF{N; n, m, w) multiple perfect hash family. 
We assume that there is a (k,N) threshold scheme (T>o,Co) for a secret set 
S. For a given secret s £ S, execute the dealer algorithm T>o of the (fc, N) 
scheme to obtain N shares oi, . . . , oat € Sq (assuming that all the shares are 
from a common domain iSq.) 

2. For each Oj, 1 < t < TV, execute the dealer algorithm V of a {w,m) scheme 
{V ,C) to protect the secret at with m shares denoted by oiy, . . . , am,i- 

3. Construct a {w,n) threshold scheme {'DjC) by defining n shares di, . . . , d„ 
as 

and assign d^ to participant Pj for all 1 < J < n, • 

Theorem 2. In the above construction, the resulting (w,n) secret sharing sche- 
me (PjC) is perfect provided that {T>o,Co) and {T>',C) are both perfect. Moreover, 
(P,C) is multiplicative, provided that (2?o;Co) is homomorphic and {V ,C) is 
multiplicative. 

Proof. (Sketch) Assume w participants Pi^,. . . , Pi^ want to recover the secret 
s, using their shares dij,...,di^. Let X = {ii, . . . ,i^}. Since P is a, k — 
PHF{N;n,m,w), there exist k perfect hash functions fi^,...,fe,, G F such 
that fi^ is perfect on A = {ii, . . . ,ik}. It follows that Pi,^,. . . ,Pi,^ can recon- 
struct the shares , . . . , a^;., using their shares d^^, . . . Indeed, applying 
fij to dij, . . . , di^, we can retrieve w distinct shares in the secret sharing scheme 
{V ,C) associated with the secret a^., and so recover a(,.. Since a£„, . . . ,ag,. 
consist of k shares of the (k,N) scheme (T>o,Co), and so the secret s can be 
reconstructed. 

Next we show that any ic — 1 participants have no information about the 
secret. Indeed, any w — 1 participants have at most ru — I shares for each round of 
{w,m) secret sharing schemes {V ,C). Since the N rounds of the {w,m) scheme 
{T>' ,C) are independent. It follows that w — 1 participants have not information 
about ai, ... , on, and so have not information about the secret s. 

The verification for multiplicative property of (P,C) is straightforward. 

Observe that given a k — PHF{N] n,m,w), we can composite a (k,N) secret 
sharing scheme and a {w, m) secret sharing scheme to obtain multiple {w, n) 
secret sharing schemes. That is 

{pMP(P\c')^{v,c). 

It is worth noting that Blackburn et al scheme is a special case of the above 
more general construction. Indeed, if fc = 1, then (2?0:-Ro) is just the trivial 
(1,TV) secret sharing scheme, and our construction coincides with theirs. 

The efficiency of our general construction is almost the same as Blackburn 
et al construction, since the complexity of both k — PHF{Ni]n,m,w) and 
PHF{N 2 ; n, m, w) with respect to Ni and N 2 as a function of n, m, w are almost 
the same. However, as we pointed out previously, one advantage of our method 
is that we do not need to execute multiple secret sharing schemes with a same 
secret. 
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5 Constructions for Multiple Perfect Hash Families 

The resulting (w,n) scheme from the construction in the previous section has 
information rate Nr^r' , assuming the information rates for (T>o,Co) and (T>',C') 
are ro and r' , respectively. Thus the efficiency of our scheme will depend on the 
size of the perfect hash family N. In this section, we give three explicit construc- 
tions (using resolvable BIBD, difference matrix and error-correcting code) for 
multiple perfect hash families with small sizes of the families. 

Let V and U be sets such that \V\ = n and \U\ = m. Recall that a, k — 
(n, m, w)-perfect hash family is a set of functions T of the form / : V — > U such 
that for any X CV with |X| = w, there exist at least k functions /j^, . . . , /^ in 
T such that ff' is injection on X, z.e. the restriction of jff" on X is one-to-one, for 
all 1 < i < /c. Let k — PHF{N; n, m, w) denote a k — {n, m, w) perfect hash family 
with \T\ = N . we also denote PHF{N;n, m, w) for 1 — PHF{N; n, m, w). From 
the definition, we know that the perfect hash functions in T are not necessarily 
distinct, and thus a k perfect hash family can be trivially constructed from a 
perfect hash family by repeating k times of each function. Assume that we have 
a PHF{No] n, m, w), we always have a fc — PFIF{N ] , n, m, w) with N = kNo. 
The question we are interested in is: can we increase a small value from Nq, 
instead of k times of Nq, to obtain k — PHF{N;n,m,w)7 We found several 
known constructions of perfect hash family have this property. 

Before starting our constructions, we make two reformulation for multiple 
perfect hash family, following [4]. Let V = {1, . . . , n}. A set X C V is separated 
by a partition tt of F if the elements of X are in distinct parts ofTr.Afc — 
PF[F{N;n,m,w) is a family F of N (not necessarily distinct) partitions of 
V such that each tt G F has at most m parts and such that for all A C 1/ 
with |A| = w, there are k (also not necessarily distinct) partitions 7Ti,...,7rfc 
that separate X. Another reformulation is as follows. Let A be an n x TV array, 
having entries in U = {!,... ,rn}. We say that the tth column of A separates 
a set X of rows of A if the Ah component of the rows in X are all distinct. A 
k — PP[F(N;n,m,w) is an n x fV array A with entries in the set U which has 
the property that for every subset X of the row of A with |A| = w, there are 
at least k columns that separate X. As observed in [4]), the three definition for 
multiple PHF are equivalent. 

Our first construction using resolvable Balanced Incomplete Block Design 
(BIBD) is due to Brickell, we have taken it from [2] and [4]. A (v, 6, r, t, A)- 
BIBD is an incidence structure, having a set F of w points and a family 

B of b blocks. Each point is contained in r blocks, each block contains t points 
and each pair of distinct points is exactly in A blocks. It follows from elementary 
counting that vr = bt and A(u — 1) = r{t — 1). A (u, 6, r, t, A)-BIBD, (V,B), is 
resolvable if B can be partitioned into parallel classes, each of which consists of 
v/t disjoint blocks. 

Theorem 3. Suppose there exists a resolvable (v,b,r,t, ^)~BIBD. Let w be an 
integer such that w > 2 and such that r > A(™) -I- k. Then there exists a k — 
PP[F{X{^) + k] V, v/t, w). 
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Proof. The r parallel classes of the BIBD give rise to r partitions of the point 
set V of order v, each of these partitions has v/t parts. Let T be any subset 
of these partitions of order r > A(2) + k. Let X C t/ be a set of point of 
order w. Now a partition tt G T fails to separate X if and only if tt fails to 
separate some pair of elements in X. There are at most A partitions in T that 
fail to separate a fixed pair of elements in X. Since there are (exactly) A parallel 
classes in the block design that contain the pair of points in a block. Hence there 
are at most A(™) partitions in T that fail to separate X. Since \T\ = A(“) + k, 
there are k partitions in T that separate X. Thus we have showed that IF is a 
k — + k; u, v/t, w). 



Corollary 1. ([ 2 ]) Suppose q is a prime power and q > (^) +k — l. Then there 
exists a k — PHF{q + 1; q^ ,q, w). 

Proof. For any prime power q, there exists a resolvable {q'^ , q^ + q, q + 1 , q, 1)- 
BIBD. The result follows from Theorem 3. 

The second construction, due to Atici, Magliveras, Stinson and Wei [2], is 
taken from Blackburn [4]. Recall that a {q,r; l)-difference matrix is an r x g 
matrix D{dij), having entries in Z/qZ, such that 

{di^i - dj^e I I < i < q} = Z/qZ 

for all distinct elements i,j G {1 , . . . ,r}. In other words, the vector formed by 
taking the difference of any two distinct rows of D contains each element of 
Z/qZ exactly once. 

Theorem 4. Suppose there exists a {q,r; l)-difference matrix D = (dij), where 
T > (™) + k. Then there exists a k — PHfI(/^) + k; q^, q, w) . 

Proof. Let V = Z/qZ x Z/qZ. Each row (dip, di,2, ■ • ■ , d*,,) of D gives rise to a 
partition of V into q parts, Vi, . . . , Vq, such that (a, b) G Vu if and only if 

di,a + b= u. 

Define T to be any set of (2) + ^ partitions of V which arise in this way. To 
prove that is a k — PHF{(f/') +k;q‘^,q,w) it suffices to prove that for any pair 
of points (ai,6i) and (02,62) in V there is at most one partition arising from D 
that fails to separate {(oi,6i), (02,62)}. For suppose that the fth and jth rows 
of D give rise to partitions of V that fail to separate} (oi, 61), (02, 62)}. Then 

di,ai + 61 = di^a-2 + 62 and dj^i + 61 = dj^o2 + 62. 

It follows that di^aj-dj^ai = (di,aa + 62 - 61 )-(dj,a2+ 62 -61) = di^a^-dj^a^- Since 
every element of Zj qZ occurs exactly once in the vector which is the difference 
of row i and j of D, we have that oi = 02. The equality d^^ai + 61 = di_02 + 62 
implies that 61 = 62. This is a contradiction, since we are assuming that (oi, 61) 
and (02,62) are distinct. 
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The third construction is based on error correcting codes. Recall that a 
{£, M, d, q)-code is a set of M g-ary vectors of length £, with the property that 
any two vectors in this set differ in at least d positions. 

Theorem 5. Suppose that there exists a {t,M,d,q)-code. Let w be an integer 
such that w >2 and such that 

(Q-lK+t 
- (-) ■ 

Then there exists a k — PHF{i; M, q, w). 

Proof. Let A denote a, M x i array with entices in a g-set such that the rows 
of A are all the codewords of an {£, M, d, g)-code. We show that T is a fc — 
PHF{i', M, q, w) if the conditions of the theorem are satisfied. 

Let X be a set of rows of A with |Jf| = w. Since the minimum distance 
of the code is d, any given pair of distinct rows from X has at most i — d 
columns that the corresponding entries on these two rows are the same. There 
are (^) possible pairs of distinct rows from X, it follows that there are at least 
£ — (“) {£ — d) columns each of them restrict to the rows of X are all distinct. 
That is there are £ — {^){£ — d) columns of A that separate X. The condition 
d > ((( 2 ) ~ implies £ — {^){£ — d). The desired result follows. 

6 Conclusion 

In this paper, we present a new method of constructing multiplicative secret 
sharing schemes over finite Abelian groups. We introduce the notion of a multiple 
perfect hash family, which is the basis of our new construction, we also present 
several constructions of multiple perfect hash families from some combinatorial 
structures. 
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Abstract. When more than one user sign a single message, each signer 
is in a different position in a signing group and has a different respon- 
sibility. In such a case, it is important to verify not only the names of 
participants but also the order of signers. To meet such a requirement a 
RSA-based multisignature scheme for various group structures was pro- 
posed in [5]. This scheme can deal with a group composed of serial and 
parallel structures. With serial structures different signing orders produce 
different multisignature and with parallel structures the multisignatures 
are independent of the signing order. Since the security proofs given in 
[5] are not complete, it remains open whether the scheme is secure or 
not. In this paper, we propose a slight modification of the scheme and 
prove its security by showing reductions to computationally primitive 
problems. 



1 Introduction 

A multisignature scheme is a type of digital signature scheme in which more than 
one user sign a single message. Such a scheme is constructed using a public key 
cryptosystem like the RSA scheme [9] . Multisignature schemes based on RSA can 
be divided into two classes. One is a scheme in which all signers use a common 
modulus as described in [2,3], the other is a scheme in which each signer uses 
a different modulus as described in [8]. Besides RSA, there is a multisignature 
scheme [10] based on the ElGamal cryptosystem [6]. 

Generally speaking, each signer of a multisignature scheme is in a different 
position in a signing group and has a different responsibility. The signing order 
often reflects these differences. For example, a signer D supervising the work of 
a group G signs a document after all members A,B,C of G have signed. By 
checking the signing order, a verifier knows that D has supervised the creation 
of the document by G. In such a case, if D signs before other group members, a 
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generated multisignature should become invalid. On the other hand, the signing 
order does not have meaning in all cases. It could happen that the signing order 
in G has no importance. In this case A, B, C are allowed to sign in an arbitrary 
order and D should sign afterwards. Similar to this example, we can consider 
concrete examples that involve banks or command structures. 

A group is said to be structured if the group of signers is structured. The 
structured group of signers is composed of two structures: 1) serial structure, 
in which the signing order can be detected by a verifier from a signature, 2) 
parallel structure, in which the signing order cannot be detected by a verifier 
from a signature. By combining these two types of structures, more complicated 
structure can be constructed. 

The signing order of multisignature schemes has not been paid much atten- 
tion so far except [1,5]. One of schemes in [5] is based on the RSA signature 
scheme. Hereafter, the scheme is called Doi-Okamoto-Mambo scheme, DOM 
scheme for short. The security analysis of the DOM scheme is not complete. 
On the other hand, the scheme in [1] is based on the modified ElGamal and its 
security is proved by reductions to the discrete logarithm problem. 

In this paper we modify the DOM multisignature scheme and give several 
proofs of security. This paper is organized as follows. After this introduction, we 
give the notation and an example of the structured group in Sect. 2. In Sect. 3, we 
describe the DOM scheme briefly. Then we show that by slightly modifying the 
scheme as described in Sect. 4, we can prove its security as described in Sect. 5. 
The security proof in this context means to give reductions to computationally 
primitive problems. 



2 Notation and Definition 

A,B,C, - ■ ■ ,U are signers. M is a hashed message to sign. Each signer U has his 
identity, ID, which is composed of two integers. Secret identity (ui, U 2 ) expressed 
by small letter is a pair of secret key of U. In the DOM scheme public identity 
{Ui,U 2 ) is expressed by capital letter. Let ISG be information for a structured 
group. Depending on the context, ISG also denotes the structured group itself. 
Let SGID, structured group identity, be an identity determined from the ISG 
and the signers’ IDs. In contrast to these abbreviations expressed by typewriter 
face, their instances are expressed by italic face. When we should distinguish 
symbols of different structured groups, we use a subscript as written by ISGs, 
ISGi, SGIDs, or SGIDi. We also use the notation SGID{ISGs,{ui,U 2 ),- ■ ■) 
for explicitly expressing that SGID is determined from ISGs and signers’ IDs. 

For a positive integer k, and are deflned as a set {t S ZjO < z < fc} 
and a set {i £ Z^j gcd(z, k) = 1}, respectively. Because all users can treat only a 
finite range of integers, such a range of integers is denoted by Z±fc. Furthermore, 
p, q are primes, and n = pq where p, q, n satisfy conditions required for the RSA 
scheme, e € ^^(n) ^ ^ public exponent and a secret exponent of 

the RSA, respectively. 
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Now we describe an outline of the proposed scheme for a structured group 
G. Since the signing order is taken into account only in the serial structure, 
the structure of G is restricted to be serial in the following explanation. In the 
proposed scheme, at first, the first signer A creates A’s signature Sa of M. 
We call it an intermediate signature of A. Next, using Sa, the second signer 
B creates Sb of M as an intermediate signature of B. Similarly, each signer 
after them creates his intermediate signature using the intermediate signature 
of the previous signer. Finally, an intermediate signature S of the last signer is 
created, and S' is a multisignature of G. We aim to construct a scheme to provide 
a mechanism of verifying the signing order from S. As shown in the Example 1, 
there is a close relation between a collusion and a signing order. Therefore we 
should define the validity of signing order. 

Example 1. Let us consider a case such that A,H,B sequentially sign in this 
order. H is a, honest signer and A, B may collude. Then even if A, H, B sign in 
the reverse order, as long as H performs signature creation for the signing order 
of A, H, B, a multisignature which passes verification check for A, H, B can be 
created by the exchange of keys between A and B. Thus, the signing order can 
be forged. 

In Example 1, the faked intermediate signature that a cheated H receives is a 
right intermediate signature of A in the original signing order A,H,B. Likewise, 
if more than two colluding signers exchange their keys and arrange their keys 
in the suitable order, the signing order may be forged. Moreover, the signing 
order has no meaning if all signers collude, in the similar reason. Based on these 
observations, we define the validity of signing order. 

Definition 1. Let S he a multisignature of a message M for a structured group 
ISG\. Let H he an honest signer in LSG\ who obeys the protocol. There exists 
an algorithm for the verification of S, and S passes the signature verification. S 
is said to be valid if S satisfies the following three conditions. 

(VI) When all the signers in LSG\ obey the protocol, S is created 
(V2) When H does not participate in signature creation of ISGi for M , S 
cannot he created. 

(V3) An intermediate signature W which H receives in the process of creating 
S is exactly the intermediate signature which is created when all the signers 
obey the protocol. Note that if there exist colluders, they may not obey the 
protocol. 

From Theorem 4, the probability of collision of SGID is negligible. That me- 
ans verifying S is substantially a process of checking the signing order. More 
precisely, from the condition (V3) of Definition 1, one can verify from a valid 
multisignature at least that if an honest signer exists in the structured group, 
he has used a right intermediate signature in order to sign the message. 

Naturally speaking, before signing a message, each signer should know for 
which structured group he takes a signing action. Furthermore, checking the 
name of the previous signer has something to do with the security of the signing 
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order. Indeed, an honest singer may be able to detect the change of the signing 
order by the identity verification. For instance, the forgery in Example 1 does 
not succeed if H can find that the previous signer is B and not A. 

In this paper, we assume that ISG is given from the previous signer. The 
previous signer may be an attacker. Furthermore, we assume that the singer 
cannot check the name of the previous signers. By these assumptions, we can 
evaluate the security of the proposed scheme in a stronger attack model. 

Finally, we give an example of structured group which is used in the whole 
of this paper. 

Example 2. Figurel shows a structured group composed of serial and parallel 
structures. In Fig.l, three signing groups Gi,G2,Gs are combined. The signing 
order inside each group is not particularly important. But the different order 
among three groups yields different multisignature. Information of the structured 
group shown in Fig.l is denoted by ISGc- 



3 Doi-Okamoto-Mambo Scheme 

We briefly describe the RSA-based multisignature scheme proposed in [5] . 

3.1 Structured Group ID 

Two kinds of basic structured groups, serial and parallel, are considered. General 
structure is constructed as a combination of these basic structures. 

Basic Structures. In the serial structure, a different order of signers causes a 
different SGID. 

Example 3. (Serial structure:) For ISG\ such that B signs a message after A, 
SGIDi = ((1 + ai)o2 + 61)62. On the other hand, for a structured group ISG2, 
which has a reversed signing order of ISGi, SGID2 = ((1 + 61)62 + 01)02. 

In the parallel structure, the difference of signing order among signers has no 
importance. Each signer makes his SGID independently and simultaneously. 

Example 4- (Parallel structure:) For the simplest structure SGIDp such that 
each A, B signs the same message in parallel, SGIDp = (1 + 01)02 + (1 + 61)62. 
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General Structure. We only give an example for the structured group ISGq 
shown in Example 2. For the general construction of SGID, please refer to [5]. 

Example 5 . SGIDg for ISGq is generated as follows. 

(DOM-Sl) SGIDa computed from A’s secret key is (1 + ai)o2. SGIDi for Gi 
is equal to SGIDa- 

(DOM-S2) In G2, SGIDg computed from U's secret key is {SGIDi + ui)u2- 
Thus, SGID2 for G2 is the sum of these SGIDu, i.e. SGIDb + SGIDq + 
SGIDd- 

(DOM-S3) As in (DOM-S2), SGID3 for G3 is SGIDe + SGI Dp- 

3.2 DOM Protocol 

We describe the DOM protocol for a generalized structure ISGs which contains 
a group Gi . 



Distribution. In the DOM scheme, each user U publishes (C/i, C/2), and shares 
C/’s first secret key Ui with a trusted center. C/’s second secret key U2 is generated 
by a hash function with input of SGID{ISGs, (C/i,i, C/j,2), • • •) and ui- For each 
ISGs, the trusted center generates public keys as follows. 

(DOM-Dl) The center creates primes p,q, and publishes n = pq. The primes 
p, q are secret, but there is no need to preserve them after the distribution. 
(DOM-D2) The center creates SGIDs = SGID{ISGs,{uiA,Ui^2),- ■ ■)■ Next, 
the center calculates (ui, U2) which satisfies {SGIDs + Vi)v2 = 1 ( mod (j){n)) 
and publishes (^1,^2). 



Signing. Let W be an intermediate signature signed by the users who should 
sign before U. The signer C/ in a group Gi signs both the message M and the 
intermediate signature W using (ui,U2)- But W is different depending on C/’s 
position in the structured group. If U is in the first group, he sets W = M 
because there is no intermediate signature W. If U is not in the first group, he 
uses W generated by the former group. C/’s signature is (mod n). 

When all the signers in Gi finished signing, created signatures are multiplied 
to generate Oc/eG (mod n). This value is an intermediate signature 

Sci of Gi- Generated S'g, is passed to the next group. Passing Sci is a part of 
the operation for a serial structure, and the multiplication inside Gi is a part 
of the operation for a parallel structure. Ss generated by the last group is a 
multisignature in ISGs- 



Verification. The validity of the multisignature Ss is checked by {SsM’^'^Y^ = 
M ( mod n) . If all the signers in ISGs obey the protocol, Ss = ( mod n), 

and Ss is accepted as a multisignature of ISGs- 



Example 6- Now we describe the protocol for ISGg shown in Example 2. 
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Distribution: For ISGq, the center generates primes p, g and n = pq. Then 
he calculates SGIDq determined from the ISGq and signer’s secret keys. 
He generates (wi,f2) which satisfies {SGIDq + v\)v 2 = 1 (mod 4’{n)) and 
publishes (n,ui,U2). 

Signing in Gp. Only one signer A exists in the first group Gi. Thus, 

(mod n) is H’s signature and also is the intermediate signature Si of Gi. 
Signing in G 2 ' In the second group G2, there are three signers B,G,D. Each of 
them receives and creates their own signature as defined in the protocol. 
For example, (S'lM^i)^^ (mod n) is B’s signature. After all, by multiply- 
ing them, ric/e{B c (mod n) is generated as the intermediate 

signature S 2 of G2. 

Signing in G3: In the last group G3, each E,F receives S 2 and creates a signa- 
ture as defined in the protocol. Then S 3 for G3 is generated. The multisig- 
nature Sg is equal to OaefB (mod n). 

Verification: {SgM’^^Y^ = M (mod n) is checked. If all the signers obey the 
protocol, Sg = (mod n), and Sg is accepted. 

4 Modified Scheme 

Apparently, the DOM scheme works for various group structures, but only a few 
proofs of security are given in [5]. In this section, we propose a modified DOM 
multisignature scheme. At first, we clarify assumptions for RSA and generation of 
random number in Sect. 4.1. Then, we give strict definitions of SGID and analyze 
its properties in Sect. 4. 2. At last, we describe the proposed scheme in Sect. 4. 3. 
We give security proofs by using reductions to the problems whose difficulty is 
assumed in Sect. 4.1. 

4.1 Assumptions 

In this paper, we assume the following conditions for the security of the RSA 
scheme. 

Definition 2. RSAPhi(e,n) is a function that on input and n G N>i, 

outputs m G 7j±k such that a™ = 1 (mod n) for all a G Z*, if such an m exists. 

Definition 3. RSASig(M, e, n) is a function that on input M G Z*,e G 
and n G N>i, outputs S' G Z* such that S^ = M (mod n), if such an S exists. 

Assumption 1. The functions RSAPhi and RSASig are intractable. 

Assumption 2. For an arbitrary positive integer fc, there exists a random ge- 
nerator whose output is uniformly distributed over Z^. 

Note that m in Definition 2 is a multiple of (f>{n). An attack using RSAPhi 
is described in pp. 94-95 of [7]. We use reductions with respect to expected 
polynomial-time Turing reducibility, in our security proof. Polynomial-time 
version of its definition is described in [1] and omitted here. 
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4.2 Modification in Structured Group ID 

We strictly define a notion of SGID computed from a structured group and sig- 
ners’ IDs. By the strict specification of SGID we can derive several security proofs 
as explained in Sect. 5. The differences of ID and SGID from the DOM scheme is 
the domain of ID and SGID, especially U 2 - 

Let SGID-space, written as 17, and ID-space, written as A, be a set of SGIDs 
and a set of IDs, respectively. If an ID-space is given, we can define the SGID-space 
as follows. 

Definition 4. If an initial value s € Z^(n) and an ID-space A C x 

are given, SGID-space 17 C is defined inductively as follows. 

(i) For an arbitrary (ui,U 2 ) € A, (s ui)u 2 (mod 4>{n)) € 17. 

(ii) For arbitrary x G 17 and (ui,U 2 ) € A, (x -I- ui)u 2 (mod </>(n)) G 17. 

(iii) For arbitrary x,y € f2, x y (mod </>(n)) G 17. 

((si -I- ai)o 2 -I- (si -I- bi)b 2 + Ci)c 2 (mod (j){n)) is an example of SGID. If one 
knows 4>{n), he can calculate SGID modulo (j>{n), but only the trusted center 
knows 4>{n) in our scheme. So, each signer knows only a value in but not 

in Now we describe some lemmas used in the later section. 

Lemma 1. If s = I and A = Z^(„) x then 17 = Z^(„). 

Proof. First, we fix some U 2 G For an arbitrary z G Z 0 („p if we set 

ui = — 1 (mod 4>{n)), then z G 17 by Definition 4(i). So C 17. On 

the other hand, 17 C is trivially satisfied. Thus, 17 = Z^(„) is proved. □ 
From Lemma 1, if ID-space is maximal, SGID-space is maximal too. In this 
paper, we fix that s = 1, ID-space A = Z^(„) x Z^^^^ and SGID-space 17 = Z 0 („). 

Lemma 2. When an ISGs is given, we can construct SGIDs G 17 by following 
the rules in Definition 4- Consider a case such that ( 01 , 02 ) & A is used to 
construct SGIDs. Using X,Y,Z G 7i±k, SGIDs is expressed as 

{X + a-i)a2Y + Z , ( 1 ) 

where X,Y > 0 and Z > 0. 

Proof. It is easily derived from Definition 4. □ 

The trusted center can compute X,Y,Z (mod 4>{n)). But without the kno- 
wledge of 4>{n), all users can deal with only the form of Lemma 2 

Apart from the definition of SGID, the procedure to compute SGID is the 
same as described in Sect. 3.1. Thus, we only point out a problem for a serial 
structure. In a serial structure, a different order of signers causes a different 
SGID. For almost of all cases in Example 3, SGIDi ^ SGID 2 , i.e. 

((1 -I- ai)o 2 -I- &i )62 = ((1 + &i )^2 + ai)o 2 (mod 4>{n)) (2) 

does not satisfy. Therefore, we can use Definition 4 as a SGID of a serial struc- 
ture. Of course, a probability that (2) satisfies is not equal to 0. However, this 
probability is very small as shown in Sect. 5. 3, and it can be ignored. 
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4.3 New Protocol 

We assume the existence of a trusted center which knows all signers’ secret keys 
(ui,U2) € A. The center publishes for each structured group a distinct modulus 
n of the RSA scheme and a verification key. As in the DOM scheme, all users 
can create a multisignature after the distribution phase. This distribution occurs 
only once for a structured group and the same keys can be repeatedly used for 
the same structured group. 

The difference between the proposed modified scheme and the original DOM 
scheme is only the key distribution, which is influenced from the difference of 
domain of ID and SGID. Protocols for signing and verification are not different 
from that in Sect. 3. 2. Hence, we describe only the key distribution for ISGs- 



Distribution. For a new ISGs, a center generates keys only once as follows. In 
contrast to the DOM scheme, public identity of signer is not used in the entire 
protocol, a hash function is not used for generating signer’s secret keys, and the 
center and U share no secret key in advance. 

(Dl) The procedure is the same as in (DOM-Dl) explained in Sect. 3. 2. 

(D2) For each U in ISGs, the center generates a pair of random integers 
{ui,U 2 ) G A as C/’s secret key. These random integers U\,U 2 are genera- 
ted repeatedly until ui G Z^(„) and U 2 G is satisfied. Once a pair 

of (ui,U 2 ) is generated, the center sends (ui,U 2 ) to C/ in a secure way. 
Then, the center calculates SGIDs = SGID{ISGs,{ui^i,Ui^2),- ■ ■) as de- 
scribed in Sect. 3.1. At last, the center calculates {vi,V2) G A which satis- 
fies {SGIDs + Vi)v2 = 1 (mod </>(n)) and publishes them. To calculate 
{vi,V 2 ), he generates a random integer V 2 satisfying V 2 G and sets 

Vi = V2^ — SGIDs (mod 4 >{n)). 

As shown above, the key published by the center is {n,vi,V 2 ), which differs 
in each structured group. Note that n must be different in a different structured 
group in order to avoid attacks known for the RSA signature scheme. 

5 Security Considerations 

In the proposed scheme, we assume the center is trusted and only users would 
cheat. Thus, we evaluate the security against a collusion of all the signers except 
one honest signer H . 

The condition (VI) of Definition 1 is guaranteed by the reliable key gene- 
ration of the trusted center. Concerning the conditions (V2) and (V3) of De- 
finition 1, we examine the security of the modified scheme from the following 
viewpoints. 

Forging multisignature: Colluders try to forge a multisignature without the 
cooperation of H. This analysis is given in [5] such that forging the RSA 
scheme reduces to this problem. 
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Changing the signing order: Colluders pass an incorrect intermediate sig- 
nature W' to H, and receive H’s signature on W' . With this knowledge 
colluders try to forge a multisignature. 

Attacks to other ISG: With the knowledge of ISGi, colluders try to generate 
a multisignature for ISG 2 - 

Collision of SGID: We evaluate the probability that two arbitrary SGIDs of 
different group structures are congruent to each other. 

In this section, modulus is 4>{n) in default and we omit to write it for simplify- 
ing the description. From Sect. 4. 2, we assume A = Z^(„) x and Q = Z 0 („). 

Note that both of secret key {ui,U 2 ) and verification key (vi,V 2 ) belong to 
A. Generally speaking, > (ln(2) • n)/ln(2n) is satisfied, and we denote 

p = [(ln( 2 ) • n)/ln(2n)J. Furthermore, we assume that the number of signers is 
in the polynomial order of \n\. Otherwise, the signing process does not terminate 
in a practical-time scale. 

From Lemma 2, colluders without the knowledge of <f){n) know that 

{{X hi)h2Y Z V\)v2 = 1 (3) 

holds for iJ’s unknown secret key (/ii,/i2) G A, where X,Y,Z G Z±k are con- 
stant numbers derived from colluders’ secret keys, and (vi,V 2 ) G is the public 
key. 

We point out that even if SGIDs, ISGs and all the IDs except {hi, h 2 ) are 
given, {hi, ft. 2 ) cannot be determined uniquely. 

Lemma 3. H’s secret key {hi, ft. 2 ) which satisfies (3) cannot he determined uni- 
quely modulo 4>{n). Indeed, there are 4>{4>{n)) candidates of secret keys. 

Proof. Let c be (A -|- hi)h 2 . For arbitrary X 2 G if we set Xi to cxf^ — X, 

{xi,X 2 ) satisfies (3). This analysis also implies that x[ G — X 

(mod fi{n))\x 2 G cannot be a solution of (3). Because the number of 

elements in Z^^^^ is 4>{4>{n)), the lemma is proved. □ 

We call {xi,X 2 ) satisfying (3) a substitution key of (3). 

5.1 Changing the Signing Order 

In this section, we study an attack to change the signing order. At first, we define 
a function ChangeKey which generates keys for changing the signing order. 

Definition 5. Ch.3.'o.ge¥.eY{ISGi,Ui^i,Ui^2,' ■ ■ ,‘P,vi,V 2 ,n) is a function that on 
input a structured group ISGi, colluder’s secret keys (ui,i,Mi,2) G A, the number 
rj of substitution keys, a verification key {vi,V 2 ) G A and a modulus n G N>i, 
outputs a structured group ISG 2 and colluders’ secret keys {u{ i,u{ 2 ) G d such 
that 



((A -I- hi)h2Y P Z S- vi)v2 = 1 



(4) 
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for each of ij substitution keys of (4), 

{{X' + h'i)h2Y' + Z' + = 1 j (5) 

and X ^ X, where {X,Y,Z) and (X',Y', Z') are calculated from {ISGi,Ui^i, 
(i'nd (/S'G' 2 , u' 1 , m' 2 ) ■ • ■) explained in Lemma 2, respectively, and 
(hi,h 2 ) is a secret key of H in ISG\, if such outputs exist. Otherwise it outputs 
_L. Note that (/ii,/i 2 ) may he included in the set of ij substitution keys {h'i,h' 2 ) 

of (4)- 

This function forges a new signing order and/or new secret keys by using 
iJ’s signature on an incorrect intermediate signature (mod n). Thus, if 

ChangeKey exists, the validity of S in terms of Definition 1(V3) is not guaranteed. 

Note that (4) is derived from published information and all colluders’ secret 
keys. But according to Lemma 3, there are 4>{(j){n)) candidates for H’s secret 
key satisfying (4). From the existence of such substitution keys, the difficulty of 
computing ChangeKey is classified into several cases: 

A) Computing ChangeKey for more than two substitution keys. 

B) Computing ChangeKey for one substitution key. 

As special cases of A) and B), we can consider the following cases. 

A’) Computing ChangeKey for all substitution keys. 

B’) Computing ChangeKey for one substitution key that is exactly the key H 
actually possesses. 

Our concern is whether ChangeKey outputs values useful for the successful for- 
gery. In the case A’), whichever key satisfying (4) H actually possesses, the attack 
using the output of ChatngeKey is successful with probability 1. Less the number 
of substitution keys satisfying (5) becomes, smaller the success probability of the 
attack becomes. In the case B), the success probability of the attack using the 
output of ChangeKey becomes l/^(</>(n)), which means computing ChangeKey 
for the case B) is useless in reality. One the other hand, in the case B’), the 
attack using the output of ChangeKey is successful with probability 1. Howe- 
ver, additional information is required for narrowing down (f>[(f>(n)) candidates 
of secret keys into one. 

We analyze the difficulty of computing ChangeKey in the case A) and in the 
case B’). To this end, ChangeKeyA and ChaoigeKeyB' are defined by limiting the 
input rj of ChangeKey in accordance with the condition of the case A) and the 
case B’), respectively. Note that the case A’) is included in the case A). 

With respect to ChangeKeyA, RSAPhi ChangeKeyA is proved conditio- 
nally in [5]. The condition is that colluders can collect more than three pairs of 
{X', Y', Z')s for the same {h[,h' 2 ){= (/ii, / 12 )). We improve this result. 

Lemma 4. Suppose that X,Y,Z which satisfy (4) are given. If X'{^ X), Y' , 
Z' € Z±x which satisfy (5) for more than two substitution keys {h'^,h' 2 ) of (4) 
are found, the multiple of (j>{n) can be calculated. 
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Proof. Each of substitution keys of (4) satisfies (4) and (5). Thus, we 

can derive the congruences 

h'^h'^Yv 2 = Z- Xh' 2 Yv 2 and = Z' - X'h' 2 Y'v 2 

where Z = 1 — Zv 2 — v\V 2 and Z' = 1 — Z'v 2 — V\V 2 . Multiply Y' and Y to the 
former and to the latter, respectively, and delete the term including h'ih' 2 - Then 

{X' - X)h'2V2YY' = Z'Y - ZY' 

is obtained. Although h!^ can take more than two arbitrary elements of 
the right hand is a constant. In order to satisfy the identical congruence, {X' — 
X)v 2 YY' must be congruent to 0. Additionally, considering the assumption X' — 
A yf 0, F, U 2 > 0, we conclude that {X' — X)v 2 YY' is some multiple of (j){n) 
when Y' yf 0, and {Z' + vi)v 2 — 1 is some multiple of (j){n) when F' = 0. □ 

Theorem 1. RSAPhi ChangeKeyA. 

Proof. Let e and n be inputs of RSAPhi. At first, an attacker selects some ISGi 
and generates random integers Ui^i,Ui^ 2 , ■ ■ ■ € Zp using a random generator 

assumed in Assumption 2. 77 is set to be a suitable number which is equal to 
or greater than two. Until ChangeKeyA outputs an answer other than T, he 
calculates ChangeKeyA(/S'Gi, (rti, 1 , • • • > repeatedly. 

Let a be the number of participants of the group. From 

> ln( 2 ) ■ p ^ ln( 2 ) 

P ~ ln(2/j) • p ln(2p) 

the attacker expects to obtain m ^2 which satisfies Ui ^2 G for a signers if 

he tries (ln(2p)/ln(2))“ times. Because p is 0(n/ln(n)), the trial time (ln(2p)/ 
ln( 2 ))“ is 0 ((ln(n)— ln(ln(n)))“) and the order is bounded above by a polynomial 
of |n|. 

By using inputs of ChangeKeyA, the attacker can calculate (A, F, Z) satisfy- 
ing (4), and by using the answer of ChangeKeyA, he can calculate (A',F',A) 
satisfying (5) for at least two substitution keys of (4). Therefore, the multiple of 
4>{n) can be calculated from Lemma 4. □ 

Regarding the case B’), we examine the complexity of ChangeKeyB' in the si- 
tuation such that an attacker can additionally have an access to an RSA signing 
oracle which uses the same modulus as in the proposed scheme under the attack. 
We define a function ChatngeKeyB'lnf o for computing ChangeKeyB' with infor- 
mation on multisignature. 

Definition 6. ChangeKeyB'inf o(/S'Gi, 

Wj.i, Mi, 2 , • • • , 1, Wi, V 2 , n, {Mi, Aj, Si), 

• ■ ■) is a function which behaves the same as ChangeKey except that (5) in Defini- 
tion 5 holds only for the substitution key satisfying {h'i,h' 2 ) = {hi,h 2 ), and that 
it has additional inputs of a polynomial number of multisignatures {Mi, Xi, Si). 
Note that from the first condition for exception, rj is set to be 1. 
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Theorem 2. In the situation such that an attacker can have an access to a RSA 
signing oracle which uses the modulus of the target multisignature scheme, we 
can prove RSAPhi ChangeKeyB'inf o. 

Proof. Let e and n be inputs of RSAPhi. At first, an attacker selects some 
ISGi, and generates random integers ■ ■ ,x € Zp. Then he can cal- 

culated X,Y,Z of (4). Until satisfying gcd(T, e) = 1, he repeatedly generates 
Wj,!, Mi, 2 ) • • • , a;. If gcd(y, e) = 1, he can compute positive integers k and x which 
satisfy ek — xY = 1, using the extended Euclidean algorithm. Next, he sets 
(hi, ft- 2 ) = {—X — d, x) and (ui, U 2 ) = {k — Z, e). It is easy to check that (hi, / 12 ), 
X, Y, Z, v\ and V 2 satisfy (4) since ed = 1. Thus, (—X — d, x) is regarded as the 
secret key. By accessing to the RSA oracle with a secret key d corresponding to 
e and a public modulus n, the attacker obtains a polynomial number of Mf for 
arbitrary Mi. Then he can prepare a polynomial number of {Mi, Xi, Si) by com- 
puting Si = {XiM~^~‘^)^ = {XiM~^ {Mf)~^)^ (mod n) for Mi and arbitrary 
Xi. Hence, the attacker repeatedly generates wip, Ui_ 2 , ■ ■ ■ ,x € Zp, which satisfies 
gcd(y,e) = 1, and a polynomial number of Mf until ChangeKeyB'inf o(/S'Gi, 
Ui,i, Ui, 2 , ■ ■ ■ ,vi,V 2 ,n) outputs an answer other than _L. From the outputs of 
ChangeKeyB'inf o, X',Y' ,Z' is calculated easily. Using X' ,Y' , Z' ,hi,h 2 ,vi and 
V 2 , (5) can be expressed as {{X' + {—X — d))xY' + Z' + k — Z)e = 1. That is, 

{{X' - X)xY' + Z' - Z + k)e-xY' -l = Q . (6) 

Note that if the left hand is not equal to 0, the attacker can get the multiple 
of (j){n) other than 0. If the left hand is equal to 0, the attacker iterates this 
procedure until the left hand is not equal to 0. 

At the end of this proof, we evaluate the number of trials of the above pro- 
cedure. If we suppose that X',Y',Z' G Z±k are random outputs, probabilities 
such that X' > X,Y' > 0, and Z' > Z + k are 1/4, 1/2, and 1/4, respectively. 
Indeed, if we suppose that X' is a random integer in Z±k and A is a posi- 
tive random integer in Z±k, we can evaluate that Proh{\X'\ > |A|) is 1/2, 
and Prob{X' > 0) is 1/2. So Prob{X' > X) = 1/4. Other probability can be 
calculated in the same manner. If X' > X,Y' > 0 and Z' > Z + k are satis- 
fied, the left hand of (6) becomes positive. That means we can expect to obtain 
X',Y',Z', by which the left hand of (6) becomes positive, after 32 trials. The- 
refore, RSAPhi ChangeKeyB'inf o. □ 

Let Ordr{g) denote the multiplicative order of g modulo r. P{t) = {gmax\ 
Ordrigmax) = m.a,XgOrdr{g), where g,gmax G Z,r}. gmax,r G r(r). Now, we 
slightly generalize ChangeKey as follows. 

Definition 7. ChangeFunc(M, /S'Gi, Ui_ 2 j • ‘ ‘ is a function 
that on input a message M G « structured group ISG\, colluder’s secret 

keys (uij,Ui^ 2 ) G A, the number rj of substitution keys, a verification key (wi,W 2 ) 
G A, and a modulus n G N>i, outputs an intermediate signature W G 

and a function F such that (F((1U'M^i)^2)aL''i)''^ = M (mod n) for W ^ 
M^ (mod n) and each of rj substitution key {h'i,h' 2 ) of (4), where ISG\, 
{ui^i,Ui^ 2 ), {vi,V 2 ), and n satisfy (4), n additionally satisfies |U(n)|/n = O 
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{poly{\n\)) , X is calculated from ISGi,Ui^i,Ui^ 2 j ■■■ as explained in Lemma 2, if 
such W' and F exist. Otherwise it outputs _L. Note that {hi, ft. 2 ) Tnay he included 
in the set of rj substitution keys {h'i,h' 2 ) of (4). 

After receiving W' and F from ChangeFunc, an attacker sends W' to an 
honest signer FI and receives H’s signature on M and W . Then the attacker 
can forge a multisignature using iJ’s signature and the function F . 

We give the proof of the security for the attack of ChangeFunc only in the 
case A’). The corresponding function is denoted by ChangeFuncA'. The security 
against the attack of ChangeFunc in the case of A) other than A’) and in the 
case of B’) is left as an open problem. 

Definition 8. RSASig' is RSASig with an additional condition such that the 
input n satisfies \F{n)\/n = 0{poly{\n\)) . 



Theorem 3. RSASig' ChangeFuncA'. 

Proof. Let M,e and n be inputs of RSASig'. At first, an attacker sets V 2 = e. 
As in the proof of Theorem 1, he selects ISGi and (ui^i,Ui^ 2 ), ■ ■ ■ ,x £ Zp until 
Ch.a.zLgeF\mcA.'{M,ISGi,Ui^i,Ui^ 2 ,‘ ' ' i4>{4>{'n)),x,e,n) outputs an answer other 
than T. Note that from the condition of A’), p is set to be 4>{(j){n)). The expec- 
ted number of the trials is bounded by a polynomial in |n|. Then the attacker 
obtains W' and F. By giving W' to the target signer FI, he can receive an ou- 
tput (mod n) from H, where (hi,h 2 ) is one of substitution keys 

mentioned in Lemma 3. As the definition of ChangeFuncA', F can compute for 
all substitution keys a multisignature which passes the verification check. Hence, 
the attacker can simulate the iA’s signing operation by selecting an intermediate 
signature W" of F[ from Z„ uniformly at random. As long as W" belongs to a 
set of iA’s outputs, F computes a multisignature S which passes the verification 
check, i.e. S = F{W”). Then SM^ (mod n) is the output of RSASig'. 

Now, we give a very rough estimate for the probability that selected W” 
belongs to the set of iA’s outputs. Because the substitution key (h \ , ho) satisfies 
{X + h'i)h'^ = {X + hi)h2, 

{W'M^'^f-^ = (mod n) 

is derived. Because h '2 is an arbitrary integer in if Ordn{W M~^) is large, 

the candidates of (W'M^i )^2 increase. Since the adequate modulus n satisfies 
\F{n)\/n = 0{poly{\n\)), Prob{W” G F{n)) = 0{poly{\n\)) and Prob{Ordn 
(W'M~^) = Ord„{gmax,n)) = 0{poly{\n\)) under the assumption that W is 
random integer in Z^^^^ . That means both the trials is bounded by a polynomial 
in |n| and the probability that F outputs S for a random integer W" is bounded 
by a polynomial in |n|. Therefore, RSASig' ChangeFuncA'. □ 
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5.2 Attacks to Other ISG 

In this section, we consider the attacks to ISG 2 using all information related 
to other ISGi. The modulus of ISGi and ISG 2 are denoted by ni and ri 2 , 
respectively. If all the signers in ISGi collude, ^(ni) can be easily calculated 
and may be used to attack against ISG 2 - But the modulus in ISG 2 is different 
from ni- It is not known if there is an attack for the different modulus in the 
RSA scheme. Thus, we consider it is difficult to perform such an attack. 

In the same argument, we assume that an attacker cannot generate a multi- 
signature for ISG 2 by converting Sh created by an honest signer H in ISGi. 

5.3 Collision of SGID 

Collision of SGID for distinct structured groups causes a failure of verifying the 
signer’s group. There are collisions of SGID in the proposed scheme. For example, 
the probability that (2) holds is not equal to 0. 

Theorem 4. Let SGIDi be the SGID determined by ISGi and (ui,i, wi, 2 ), • ‘ 
which are selected uniformly at random from A, and let c be an arbitrary con- 
stant. Then Prob{SGIDi = c (mod ^(n))) = l/^(n). 

Because n is the modulus of RSA, (j){n) is sufficiently large and the probability 
in Theorem 4 can be regarded as negligible. 

It is desirable that all the intermediate SGID is not equal. In such a case, 
we must consider the birthday paradox and design the size of n. The number of 
signers whose SGIDs are all distinct is bounded by a polynomial in \n\. The same 
property is observed in [1]. 

5.4 Problems of Variations 

To modify the proposed scheme must be done with greatest care. For example, 
as explained in [5] , the direct application of the threshold technique in [3] to the 
proposed scheme is insecure because singers involving in the threshold scheme 
can compute a multiple of where n is a modulus of the multisignature 

scheme. 

Moreover, the following simplification of secret keys should be avoided. In 
our scheme, the secret key of [/ is a pair of random integers (uip, If we set 
the former parameter to be a constant, for example Ui^i = 1 as discussed in [4], 
the signing order can be manipulated in the sense of Definition 1(V3) as follows. 



Example 7. Consider a structured group in which A, H, B sign in this order. Now 
suppose that secret key of A, H and B are (1, 02 ), (1, / 12 ) and (1, & 2 ), respectively. 
If 2 o2 -I- 1 = 3/c satisfies for some integer k, colluding A and B can succeeds in 
the following attack. 
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(FI) An attacker passes (mod n) as A’s signature Sa to H. 

(F2) H generates his signature Sh = (mod n). 

(F3) An attacker calculates Sb = (mod n). 

Because Sb = (mod n), Sb is accepted. We can extend 

the attack by use of expressions other than 2o2 + l = 3/c. In the proposed scheme, 
such an attack cannot be successful because of Theorem 1. 



6 Conclusion 

In this paper, we have improved the RSA-based multisignature scheme proposed 
in [5] and proved its security. We gave the strict definition of the SGID deter- 
mined from the structured group and ID. Using SGID, we have constructed a 
multisignature scheme which is suitable for the various group structures com- 
posed of serial and parallel. In the proposed scheme one can verify the signing 
order in a structured group. For the security analysis we have adopted an attack 
model such that all the signer except one honest signer collude. Based on such 
an attack model, we have clarified many security properties of the proposed 
scheme in addition to the proof shown in [5]. We have given security proofs for 
the attacks of changing the signing order. There are two models for the attacks. 
One is to generate keys for changing the signing order, and other is to generate 
functions for changing the signing order. The problem of finding a multiple of 
4>{n) of the RSA scheme reduces to the problem of achieving the former. Mean- 
while, the same problem can reduce to the problem of achieving the later only 
in limited situations. The reduction to the later model in the special case is left 
as an open problem. We have also evaluated the security against the attacks 
to other ISG, and the collision of the SGID. Furthermore, the troubles occurred 
by simplifying key and by directly applying threshold scheme to the proposed 
scheme have been explained briefly. 
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Abstract. A designated confirmer signature allows the signer to prove 
to the signature’s recipient that the designated confirmer can confirm the 
signature without the signer. In this paper we propose a fail-stop confir- 
mer signature scheme based on the concept of fail-stop knowledge proofs 
and signature knowledge proofs on discrete logarithms. We also develop 
a blinded version of the confirmer scheme. The new confirmer signatures 
have enhanced security against forgery from powerful adversaries. 



1 Introduction 

An undeniable signature requires the signer to verify the signature for the sig- 
nature recipient [1] . Designated confirmer signatures[2,3,4] was first proposed by 
Chaum[2] to allow a undeniable signature to have more flexibility by allowing a 
designated confirmer to verify the signature for the signer. Actually, Designated 
confirmer signatures can be designed for both signer and confirmer to verify a 
signature [5]. 

Fail-stop signature scheme[6,7,8,9] was proposed by Heyst and Petersen[6] to 
enhance the security against the adversaries who have a high degree of computa- 
tional power. Under such scheme, if the secret key of a system is compromised, 
a designated trusted authority can find the forger related to the instance with 
an overwhelm probability. The fail-stop mechanism is based on a special public- 
secret key pair. In particular, the unique public key is designed in such a way 
that it maps q different solutions on the secret key under a finite field of size 
q. Since only one solution is registered with the authority. The probability for a 
powerful adversary to find the correct key is 1 /q. 

In this paper, we propose a new confirmer signature scheme that combines 
the confirmer signatures with a fail-stop method. In the confirmer signature 
scheme, verification and confirmation of signatures require using techniques of 
zero- knowledge proofs on discrete logarithms. To make a confirmer signature fail- 
stop, we need to develop technique that allows the zero-knowledge proofs to fail- 
stop. That is, if an adversary forged a proof, he or she can then be caught after 
the instance. We also give the blind version for our fail-stop confirmer signature 
scheme. These schemes have potential applications in electronic commerce. 

The rest of the paper is organized as follows: Chapter 2 introduces our model 
including the definitions of basic protocols to be used in the basic protocols. 
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Chapter 3 presents the concepts and protocols of fail-stop knowledge proofs and 
fail-stop signature knowledge. Chapter 4 gives the detailed protocol of fail-stop 
confirmer signatures and its blind version. Chapter 5 concludes the paper. 



2 Model 

We now look at a general construction of our fail-stop confirmer signatures, which 
is based on the confirmer signature scheme [2] and fail-stop signature scheme [6]. 
For simplicity, we assume that there exist a signer S, a confirmer C, a signature 
verifier V, and a trusted third party TTP who helps signers and confirmers to 
establish their keys. 

In our system, both signature and confirmation have the fail-stop property 
associated to the concepts of knowledge proofs and signature knowledge proofs 
on discrete logarithms[10,ll]. In the following, we give the definitions of “fail- 
stop” related to those concepts. 

Definition 1. {Fail-Stop Knowledge Proof of Discrete Logarithms) Given a le- 
gitimate knowledge proof V on a secret associated with a finite field Zg and the 
corresponding verification algorithm V, a powerful adversary can generate a for- 
ged proof V' that can also he verified using the same V. The probability of finding 
the forgery from the adversary is 1 — 1/q (See the next section for proof). 

Definition 1 stems from the original fail-stop concept but used to knowledge 
proofs. We also use the concept of signature knowledge, which is equivalent to 
digital signatures [11]. 

Definition 2. {Fail-Stop Signature Knowledge of Discrete Logarithms) Given a 
legitimate signature knowledge S with the secret key associated to a finite field 
Zg and the corresponding verification algorithm V, a powerful adversary can 
generate a forged signature knowledge S' that can also he verified using the same 
V. The probability of finding the forgery from the adversary is 1 — 1/q (see the 
next section for proof). 

The scheme consists of the following protocols. 

~ There are two key generators. For an input 1^ with a security parameter £, 

• FGs{l^) — >■ {Ks,Ps), the fail-stop secret-public key pair for the signer. 
Ks and Ps are respectively a set containing related data. 

• FGc{l^) — >■ {Kc,Pc), the fail-stop secret-public key pair for the confir- 
mer. Kc and Pc are a set respectively. 

— There is a probabilistic polynomial knowledge proof algorithm that receives 
a secret and outputs a fail-stop knowledge proof k. 

— There is a non-interactive verification protocol, (PcjVy), for signature kno- 
wledge proof, between the confirmer and the verifier 



[Pc{Kc),Vv{)]{n,Pc) ^ <5, for <5 G {0,1}. 
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Vc is the proof protocol and Vv is the corresponding verification protocol. 
The private input of Vc is Kq that is the secret to be proved. The common 
inputs for the protocol are k,Pc- Pc is the public key for the prover. The 
verification protocol returns a Boolean value 5. If i5 = 1, the k is valid, and 

0 otherwise. 

— There is a probabilistic polynomial signature knowledge algorithm, which 
receives a secret key and a message, outputs a fail-stop signature knowledge 
a. There is also a corresponding blind algorithm, a. 

— There is a non-interactive verification protocol, {Ss, Vy), for signature kno- 
wledge proof, between the signer and the verifier 

[5s(ifs), Vy()](m, cr, Ps,2/c) S, for S G {0,1}. 

Ss is the signing protocol and Vy is the corresponding verification protocol. 
The private input of Ss is Ks- The common inputs for the protocol are 
m,a, Ps,yc- Ps is the signer’s public key. yc is the confirmer’s public key. 
The verification protocol returns a Boolean value 5. If (5 = 1, the cr is valid, 
and 0 otherwise. There is an interactive verification protocol for the blind 
version defined in a similar manner, 

[5s(iGs), Vy()](m, CT,Ps,2/c) 5, for S G {0,1}. 

We have used " to denote “blind”. 

— There is a protocol between the signer and the TTP for finding a possible 
forger, 

[T{)]{P^,Pi)^5, for ,5 G {0,1}. 

1 = S for the signer and i = C for the confirmer. Ss denotes a and Sc 
denotes n. The common inputs for the protocol are m, Si. If it outputs 1, 
Si is valid, and 0 otherwise. 

Throughout this paper, we will use the following notations: 

— p = 2(7 -|- 1 is a large prime such that q is a, prime as well, both p and q is 
known to the public. 

— p is a primitive selected from Z*, a multiplicative group of order q. 

— There exists a public one-way function H : {0, 1}* — >■ {0, 1}^ {I « 160). 

— I denotes a modulo operator. 

3 Fail-Stop Knowledge Proofs and Signature Knowledge 

Knowledge proofs of discrete log were initially introduced by Chaum[10]. Since 
then, there have been many works on such knowledge proofs. Basically, there are 
two types of discrete log knowledge proofs: interactive and non-interactive. They 
have equivalent functionality. Recently, discrete log knowledge proofs have been 
applied to signature knowledge proofs, which are proved equivalent to digital 
signatures [11]. 
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An important step in achieving fail-stop confirmer signatures is to make 
discrete log knowledge proofs fail-stop. We will use the fail-stop signature method 
developed by Chaum to our discrete log proofs. The original purpose of fail-stop 
signatures is to prevent any powerful adversary from computing the secret key 
for signing. Under a fail-stop signature, the legitimate signing key is chosen for 
a large set where all elements map to the public key. Therefore, the powerful 
opponent has a very small probability of finding the real signing key and a high 
probability to get a fake key. If one of fake keys is used to sign, then the illegal 
signer will be caught by the TTP. 

3.1 Fail-Stop Knowledge Proofs on Discrete Logarithms 

As defined in the proceeding chapter, fail-stop knowledge proofs have the same 
mechanism as that of a fail-stop signature. We will restrict ourselves to non- 
interactive knowledge proofs only, since they add less load to the network traffic 
when compared to the interactive methods. 

Let p = 2(7 -I- 1 be a prime such that q is prime as well. Let g G Z* he an 
element of order q. Select a from Zq and define h = g“|p. The value of p, q, g, h, 
and a are chosen by the TTP. p,q,g, and h are public and the value of a is 
secret from others. 

We require the prover to have a certificate. The prover must use his certificate 
during proof construction. The certificate is defined as Cert G- (6i, 62) signed by 
the TTP, where b\ and 62 must have a form that suits the fail-stop computation. 
In order to construct suitable bi and 62, the prover chooses xi, - ■ ■ ,X4 from Zq 
as her secret key at random and computes bi G- g^^ \p and 62 ^ g^^ \p. 

Let X be the secret to be proved by the prover and y = g^\p be her com- 
mitment to the secret. Note that proving the discrete log, log^j/, is equivalent 
to proving log;,^ bf, provided that we can prove that these two discrete logs are 
equal. Proving equality of two or more discrete logs is easy by using Fujioka and 
Okamoto’s interactive bi-proof [ 13 ]. The bi-proof method can readily be conver- 
ted to a non-interactive version. For simplicity, we leave the detail to the reader. 
We always assume the base for the proof is 61. That is, y = bf\p. The key (in- 
cluding the secret to be proved) for the prover is defined as K G- {Kp, Pp) for 
Kp G- (x,xi,-- ■ ,X4) and Pp e- (y, 61,62)- 

The protocol to prove knowledge on x from y is as follows: 

— Prover: 

• Selects^ ri,T2 Gp Zq and computes d = g'^^ \p as a proof commitment. 

^ The original Heyst-Pedersen fail-stop signature scheme uses part of secret key 
(x2,X3) as the signature commitment. We should point out it can be broken using 
a well-known common signature commitment attack. For example, if we sign two 
different messages, mi and m2, the fail-stop signatures are ai = X2 G mixi, 
02 = X3 G miX4 and a'l = X2 G 012X1, a'2 = X3 G 012X4, the secret key can then 
be computed with xi = (ai — o'i)/(mi —m2) and X4 = («2 — a'2)/{mi —m2). Adding 
r to the fail-stop signature can easily fix the problem. This kind of attacks can be 
applied to all the similar signature schemes such as ElGamal signatures, Schnorr 
signatures, etc. 
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• Calculates c = i?(g, ft., y, 6i, 627 <^)- 

• Then calculates a\ = ri + X2 + x\cx and 02 = X2 + X3 + X4CX for A <— 

(01,02) e ZqX Zg. 

— Verifier: 

• Checks correctness of the hash function. 

• Checks (iy°&2 = 5“^ ft“^ b- 

The completeness of the protocols is obvious, since it is straightforward to see 
that the verifier can verify the correctness of the proof if the proof is correctly 
constructed. We now explain the soundness of the protocol in the following 
lemmas. First of all, we show that the prover has to keep her proof commitment: 

Lemma 1 . There exists no polynomial time algorithm, which, on input (d, c, oi, 
02), outputs (d',c',a[, a'2) such that d'y^ h2=g°'^h°'^\p. 

Proof. (Sketch) This is because the proof commitment has been embedded in the 
hash function that forms c. It is easy to see that if d is not in the hash function, 
the lemma will become incorrect. This is because by giving d' = y~‘^ bf^g°'^h°'^ \p, 
we obtain d'y'^ &2=5“^ft“^b arbitrary a'i,ab 

The proof commitment can be used for the specific proof only, otherwise the 
prover’s secret key will be compromised (see the footnote). 

Suppose that the powerful opponent (say. Eve) can find , • • • , 0:4 such that 
fti ^ g^^h^*\p and 62 ^ g^’^h^^\p. The opponent can of course use the same 
certificate to illegally prove any discrete log at will and her proof can still be 
verified. 

Lemma 2 . Let tuple {x'^, x'2, x'^^.x'/f) satisfying bi = g^^h^^ and 62 = g^^h^^ he 
a fake secret key for the opponent. Then the opponent can prove her knowledge 
on any x' . However, with probability 1 — 1 /q, the opponent can he caught. 

Proof. (Sketch) We know that there are q discrete log solutions with respect to 
Xi,X2,X3,X4 but only one registered with the TTP[ 12 ]. Therefore, the probabi- 
lity finding the correct one by Eve is 1 /q. Let us now see how Eve is caught. To 
do this, the TTP needs to find out a that is known only to the TTP. We assume 
that the opponent produced a proof with a tuple (x', c' ,d' , A' ,y' ,h\,b2) such that 
\Ppi{Kpi),Vv(/)]{i^' ,Pp') — >■ 1 or A'y''^ b2=g°‘'^h°’'^\p. The legitimate prover has 
her own proof with the tuple (x, c, d, A, y, bi, 62) such that [Pp{Kp^,VvQ]{k, Pp) 
ral or Ay^b2=g°‘^h°''^\p. Since g“ift“2/d' = g°-^h°‘^/d\p or = g°-^+‘^°-^\p^ 

where a' ^ a' — r' and Oi Oj — r*, TTP can compute a, 

a = (a'4 — ai)(a'2 — 02)“^ |g. 

This is because d'2 ^ 0,2. Note that, since d'2 and 02 are independent of the proof 
commitment with respect to ri and X2, a will never be found in the case of two 
legitimate signatures (because = 02). 

For convenience, let us now extend definitions given in Definitions 1 and 2 in 
Section 2: 
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Definition 3 . {Fail-Stop Knowledge Proof - Extension to Definition 1 ) The 
fail-stop knowledge proof of discrete log, log^ y, described in the above protocol, 
is represented by k ^ FSP{Kp, Pp, A,d){x,y) or simply k t— FSK{x,y). 

Definition 4 . {Fail- Stop Signature Knowledge Proof - Extension to Definition 
2 ) Let x € Zq be the secret key and y = g^\p be the commitment to x. Let 
m be the message to be signed. The fail-stop signature knowledge is the tu- 
ple (oi,a2,c) € for ai = ri -\- X2 -\- cxxi, 02 = r2 -\- -\- CXX4 and c = 

H{m, g, y, h, 61, 62, A, dy‘^b2), defined as a FSSK{x, y){m). 

3.2 Fail-Stop Signature Knowledge Proofs for Discrete Logarithm 
Equality 

Consider 51,52 G Zf. Let x G Z, be the secret to be proved by the prover and 
Vi = ^i\p and 52 = be her commitments to the secret. The prover chooses 
xi, • • • ,X4 from Zq at random as her secret key and computes 61 t— gi^hdfi\p, 
b'l t— 52 ^/ 12 ^‘IP) b2 ^ Pi^hi^\p, and 63 ^ 9T^2^\P- bet Cert (61, &2, ^2) be 

the prover’s public key certificate signed by the TTP. The key for the prover is de- 
fined as K ^ {Kp, Pp) for Kp ^ (x, xi, • • • , X4) and Pp ^ (51, 52, bi,b[,b2, 6^- 
The protocol is as follows: 

— Prover: 

• Selects ri,T2 €p Zq and computes di = g'fih'filp and ^2 = g^'^hlf^lp. 

• Calculates c = iL(m, 51 , 52 , /ii , /12 , 5i , 52 , , ^2 , , &2 , 2/J&2 , c^252 ^2 ) . 

where hi = gf\p and /12 = 52 Ip! both are determined by the TTP. 

• Then calculates Oi = ri -I- X2 + xicx and 02 = r2 -\- X3 -\- X4CX for A <— 

(oi, 02) & Zq X Zq. 

— Verifier: 

• Checks the hash function. 

• Checks diy^b2 = 5i^h“^|p and ^252^2 = dT^TlP- 

For the correctness of this protocol, readers are referred to the explanation 
given in the proceeding protocol for soundness and completeness. 

To obtain a signature knowledge proof, we only need to modify the hash 
function and compute a different c. The definition below gives the detail. 

Definition 5 . {Fail-Stop Chuam- Peter sen Signature Knowledge for Equality of 
Discrete Logarithms) Let x € Zq be the secret key, m be the message, y\ = bf\p 
and 52 = b'i^\p be the public key, and the signature commitment be di,d2. The 
signature knowledge is the triplet (oi, 02, c) G Zq for ai = ri-|-X2+xicx and 02 = 
r2+X3+X4CX and c = iL(m, 51 , 52 , hi , ^2 , 51 , 52 , , ^2 , , &2 , rfi2/?^2 , ^252^2)- The 

Eail-Stop signature knowledge proof for equality of discrete logarithms is defined 
as FSCP{x,gi,g2,yi,y2){m). 



4 Blind Fail-Stop Signature Knowledge 

In order to study the blind fail-stop confirmer signatures, we give the blind 
version of fail-stop knowledge proofs and signature knowledge. 
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4.1 Blind Fail-Stop Signature Knowledge Proofs 

Let X be the secret to be proved by the prover and y = g^\p be his commitment 
to the secret. Based on the bi-proof of two discrete logs[ 13 ], we can assume the 
base for the proof is b\. That is, y = bf\p. The protocol is described below: 

— Signer: Selects ri,r2 Zq and computes d = g^^h^^\p, and sends d to the 
Recipient. 

— Recipient: Selects 7,6* Gr Zq, computes d' G- {db2Ybi^g'*\p, c = H{m,g,h, 
y, 61, b2,d'), and c' ^ c/ 9 , and then sends c' to the signer. 

~ Signer: Computes ai = r\ + X2 + xic'x and 02 = X2 + X3 + X4c'x for A <— 
(01,02) G Zq X Zq, and then sends A to the recipient. 

— Recipient: Computes a[ G- a \9 + 7 and a'2 G- 02^ -I- 7. A' G- (a(, 02). 

The blind signature knowledge consists of A' , c, b\,b2,d' . The verifier can validate 

? / ! 

it by checking the hash function and d'y'^b2 = g°“^ h°'^ \p. 

The completeness of the protocol is obvious. For the soundness of the proto- 
col, we can see the following properties: 

— Blindness: The signer/prover has no knowledge on the resulting signature 
knowledge, since he signed only c' . However, given the signature knowledge 
tuple {A' , c,bi,b2, d'), both signer and recipient can be sure of its authenti- 
city. 

— Unforge ablity: Although the signer has not seen c, in the verification of c, 
the verifier checks the details of the hash function and makes sure that d' 
has been embedded in it. Therefore, d' cannot be fault. 

— Fail-stop: The signature doublet (c. A') has a form as a normal fail-stop 
confirmer signature, therefore Lemma 1 can still be applied. 

Definition 6. {Blind Fail-Stop Signature Knowledge Proof) Let m be the mes- 
sage to be signed. The blind fail-stop signature knowledge proof is the pair {A' , c') 
G Z^ defined as 
BFSSK{x, y){m). 

4.2 Blind Fail-Stop Signature Knowledge for Discrete Logarithm 
Equality 

The setup of keys is the same as that for a normal FSCP. The only difference 
is that c is unknown to the signer. 

— Signer: Selects ri,r2 Gr Zq and computes di = gf^hf^lp and ^2 = g^^hf^lp, 
and sends di, d2 to the Recipient. 

— Recipient: Selects 7,d Gr Zq. computes d[ G- {db2)^bf^gj, d'2 G- {db'2)^ 

c = H{m,gi,g2,hi,h2,yi,y2,bi,b2,b[,b2,d[yfb2,d2y2b2), and c' ^ 
c/ 9 , and then sends c' to the signer. 

— Signer: Computes oi = r\ -\- X2 -\- x\cx and 02 = r2 -\- X3 -\- x^cx for A G- 
(ai, 02) G Zq X Zq, and then sends A to the receiver. 
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— Recipient: Computes -I- 7 and t— 02^ + 7. A' t— 02). 

The blind signature knowledge consists of A', c, &i , 62, db The verifier can validate 
it by checking the hash function and d'iyj&2 = and d22/2^&2 = ff2^^2^jp- 

The correctness of this protocol can been seen from the discussions for BFSSK 
and FSCP. 

Definition 7. {Blind Fail- Stop Chuam-Petersen Signature Knowledge for Equa- 
lity of Discrete Logarithms) Let x € Zg be the secret key and m be the message. 
Let gi,g2 G Zf and yi = bf\p and y2 = b'^^\p be the public key, and the signature 
commitment be d'i,d'2- The signature knowledge is the pair {A' ,c) € Zg for c = 
H{m,gi,g2,hi,h2,yi,y2,bi,b2,b'i,b'2,d\ylb2,d'2y2b'2), defined as BFSCP{x,gi, 
g2,yi,y2){m). 

5 Fail-Stop Confirmer Signatures 

Based on the technique we developed in Sections 3 and 4, we can easily con- 
struct a fail-stop confirmer signature scheme and its blind version. We will adopt 
Chaum’s confirmer signature scheme. 

5.1 Signing Protocol 

Consider g G Zf, Xg,a G Zg, y^ = g^‘\p, and / = g^'^lp, where Xc is the confir- 
mer’s secret key. Assume that the signer has a secret key Ks ^ (x*, xi, • • • , X4) 
and its corresponding public key P5 ^ (j/s, bi, b'^, 62, &2)- 
The signing protocol is as follows: 

Step 1: The signer constructs the signature: 

• Selects r G_r .Zg. P's ^ (r, xi, •••, X4). 

• Computes u = g'^\p and v = f^\p. Ps {u, v) 

• Computes the fail-stop Chuam-Petersen signature knowledge for discrete 
logs, logg u = logfV, on m. That is, a FSCP{r, g, h, u, v){m). 

• Computes the fail-stop signature knowledge on ct: ct ^ FSSK{xs,ys){o'). 

• Then sends u, v, a, a to the verifier. 

Step 2: The verifier verifies the signature by checking 

[5s(iGs), Vv()](m, a,PsnPs,f)^l. 
[Ss{Ks),Vv{)]{cr,a,Ps, ) 1- 

Completeness: It is obvious that following the correct steps the verifier can 
obtain the correct form of the signature. [Ss{Ks),Vv{)]{m,a,Ps, f) — >■ 1 en- 
sures that the signer knows r and its commitment {u,v) to r. The verifier 
is sure that the confirmer’s commitment / has been embedded in cr. With 
[Ps(ATs), Vy()](cr, (7, Ps) — >■ 1, the verifier ensures that the message is properly 
signed. 

Soundness: We need to prove that the signer cannot cheat during the compu- 
tation of a and a. 
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~ Unforgeability: There exists no a polynomial time algorithm which, on input 
{Ps, Vs, f) from the given key generators, outputs with non-negligible proba- 
bility a correct confirmation signature knowledge, (ct', a' , m'). This property 
holds for the situation that there is no an adversary who has sufficient com- 
putational power that can solve discrete log problems. The fail-stop property 
handles any adversary who is powerful enough to compute a discrete log. 

— Fail-stop property: Both signature knowledge proofs, a and u, are fail-stop. 
That is, the system allows the existence of some no polynomial time al- 
gorithms, which, on the given Ps for ct, output a Pg ^ (y' , 6i, 6^ , 62, , 

where (61,61,627^2) maps to {xi,x[). However, such forgery can 

be stopped with probability 1 — 1 /q. The similar situation is applied to a. 

5.2 Confirmation Protocol 

We now show how the confirmer confirms the confirmer signature knowledge by 
the signer. Basically, the confirmer needs only to proof his knowledge on the 
discrete log, Xc ^ log„w. To make the proof fail-stop, we need to apply the 
fail-stop discrete log proof given in Section 3 . The proof is defined as Kc <— 
FSK{a,v){a,a). The verifier checks [Pc{Kc),'^v{)]{kc,{u,v)) and makes sure 
the output is 1 . The properties of the confirmation protocol follows these given 
in Section 3 . 

5.3 Blind Fail-Stop Confirmer Signatures 

Blind signatures are useful for many applications in e-commerce. Therefore, it 
is worthwhile to consider the methods for blinding our Fail-Stop confirmer sig- 
natures. The blind fail-stop confirmer signature scheme has a similar protocol 
as the non-blind version. Only modification needed is to change the FSCP and 
FSSK to BFSCP and BFSSK. We omit the presentation of the protocols in 
this paper. 

6 Conclusion 

We have presented a security enhanced confirmer digital signature scheme, which 
prevents a powerful adversary from forging a signature. Our system is based on 
the theory of fail-stop knowledge proofs on discrete logs and signature knowledge 
developed in the paper; we have shown that the scheme is unforgeable and fail- 
stop. We have also constructed the blind version for the scheme, which has 
potential applications in electronic commerce. An important contributions in 
this paper is fail-stop zero knowledge proofs on discrete logarithms. This new 
concept makes such zero knowledge proof schemes more secure. 
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Abstract. We present a new identification scheme which is based on 
Legendre symbols modulo a certain hidden prime and which is naturally 
suited for low power, low memory applications. 



1 Overview 

One of the most desirable cryptographic functions is a secure, small, zero- 
knowledge public- key identification scheme. The applications are many and ob- 
vious - even the single application of credit/smart-card security is enough to 
stimulate research. In this paper, we present a scheme that requires extremely 
little computing power to perform a verification and to which we refer as FLIP 
(Fast Legendre Identification Protocol). Our scheme is unbalanced by design: 
the party proving his/her identity needs almost no computing power, while the 
party to whom the identity is being proved needs only a very small amount. 

Our scheme is based on the assumption that integer factorization is a “hard 
problem.” In fact, we believe that the only feasible attack on our scheme is via 
the factorization of a certain modulus M, hence the scheme is secure provided 
that M is reasonably large. In contrast to (say) RSA based signatures, our 
scheme offers the advantage that time consuming computation modulo M is 
required only for the verifier (it is not unreasonable to assume the verifier to be 
more powerful than the prover). This lends itself well to the credit/smart-card 
& bank paradigm. 

We have conducted some preliminary tests using the interpreted number theory 
system PARI-GP. We find that FLIP (at high security) performs an identification 
as fast or faster than any other identification scheme of which we are aware, 
although key creation in FLIP is slower than in some other schemes, see [8]. 
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We remark that although our scheme uses constructions similar to the Feige- 
Fiat-Shamir scheme, see [10], both schemes seem to be independent and rely on 
the hardness of different number theoretic problems (although the assumption 
of the hardness of integer factorization is common to both of them) . 



2 FLIP Description 



Our construction is based on properties of the Legendre and Jaeobi symbols. 

We recall that given a prime p the Legendre symbol of a with gcd(a,p) = 1 is 
defined as 

J 1, if the congruence a = (mod p) is solvable, 

( — 1, otherwise. 



The Jacobi symbol modulo an odd integer k is defined as multiplicative extension 
of the Legendre symbol. That is. 







where 

k = p\^...pl‘ 

is the prime factorization of k. 

We also recall the following basic properties of the Jacobi symbol (see Section 5.8 
of [3]) which hold for any odd integer k and arbitrary integers I and r: 

o (I) = 

o (l) = (i)a); 

o (I) = (l) \il = r (mod k)-, 
o (1) = (f) (-l)d-i)(fe-i)/4^ if I is odd. 

The above properties provide very fast algorithms for computing Jacobi symbols, 
and thus guarantee the efficiency of our scheme. 

FLIP has two formal security parameters, integers n and k. 

For purposes of this paper, we will assume that Irina is proving her identity to 
the verifier Victor. 

To create the signature Irina uses the following algorithm: 

FLIP initial set-up and key construction 

Step 1 

Irina chooses two n-bit prime numbers p and r, and computes the product 
M = pr. 
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Step 2 

Irina selects at random k relatively prime 2n-bit integers aj, computes the 
Legendre symbols 




and checks that at least one aj = —1. 

Step 3 

Irina publishes as her public key the product M and the collection of k pairs 
(aj,aj), j = l,...,k. 

Step 4 

Irina discards the value of r and retains as her private key the prime p. 

The verification protocol has another security parameter which is a non-negative 
integer 1. 

The FLIP verification sequence 
Step 1 

Victor chooses I random 2n-bit integers si, . . . , s; and I subsets of the set 
{oi, . . . , Ok}, and for each subset, he computes the product of sf and the sel- 
ected integers modulo M. In other words, Victor chooses I sets of k random 
bits Cij = 0, 1, and computes for t = I, . . . , I 

k 

Ci = si (mod M), 0 < Q < M - 1. 

i=i 

Step 2 

Victor transmits the I numbers Ci, i = 1, . . . ,1. 

Step 3 

Irina computes and transmits the I Legendre symbols 




Step 4 

Victor verifies each of the I Legendre symbols transmitted by Irina is correct. 
That is, he verifies that 

k 

i = i,---,i- 

j=i 

We first note that in terms of the parameters n, k and I, we have the following 
properties: 



o the bit size of the private key length is n 
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o the bit size of the public key length is 2n + k{n+ 1); 
o the total number of bits transmitted is (2n + 1)/. 

We remark that the relatively prime numbers ai, . . . ,ak need not be chosen by 
Irina. They can be globally available or even produced by Victor. In either of 
these cases, they are not strictly speaking a part of the public key, and the bit 
length of the public key drops to 2n + k. In any case, the generation of the at 
is not time consuming. In fact even if one decides to select k random 2n-bit 
prime numbers this can done be efficiently by selecting random integers in the 
interval [2"“^,2” — 1] and testing them for primality. Classical density results 
about the distribution of prime numbers and primality testing algorithms (see [3, 
5,6]) guarantee the efficiency of this procedure. The condition that at least one 
of tti , . . . , ttfc is not a quadratic residue modulo p is very easy to satisfy as well, 
for example, by selecting oi with this property. 

It is also useful to recall that each computation of a Legendre symbol involved in 
this scheme takes O(n^) bit operations; see Theorem 5.9.3 of [3] or Section 1.4 
of [5]. Each multiplication modulo M takes 0{n?) bit operations if one uses 
naive arithmetic and 0(n log n) bit operations if one uses fast arithmetic, see 
Theorems 7.8 and 8.5 of [1] or Theorem 8.24 and Corollary 9.9 of [6]. 



3 Security Analysis 



It is obvious that the probability of impersonating a valid private key (that is, 
the probability of a correct guess of I individual Legendre symbols) is 2~K This 
is an “on-line” attack, and for attacks of this type, it is common to request the 
2^° level of security. Thus the choice I = 40 will be satisfactory. 

The probability that the same product will be used twice during N rounds of 
verification, thus allowing an attacker to collect and re-use Irina's replies, is 

In particular Pi^k,N ~ N12~^ if N12~^ ~ 0. This is an “off-line” attack, and for 
attacks of this type, it is common to request the 2®° level of security. Assuming 
that I = 40 and that N = 10000 identification rounds are to be made, one can 
easily verify that the choice fc = 99 guarantees 

Pl,k,N < 2“®°. 



An “off-line” brute force attack (that is, correctly guessing a valid private key) 
would succeed with probability 2“^. 



One can also apply the above scheme with si = . . . = s; = 1. However in this 
case a more sophisticated attack can be used. An attacker can precompute the 
products 



Lfc/2J 

aj-’ and 



n 









i=Lfc/2j+l 
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for all binary vectors {fi, ■ ■ ■ , f[k/ 2 \) and {gik/ 2 \+i, ■ ■ ■ , 9k) and then try to find 
a representation of the challenges Ci, i = 1, . . . , I, by looking at the precomputed 
values. This “meet in the middle” attack requires of order 2^/^ operations and 
the same amount of memory, so it is not likely to be efficient. In any case, 
using random squares in the computation of the challenges rules out this attack 
completely. 

Another possible attack is via the known values of Legendre symbols. In theory, 
if one knows the Legendre symbols modulo p of the first O(log^p) integers, then 
this is enough to identify p uniquely (see [7]), but no one has been able to pro- 
duce an efficient algorithm to accomplish this identification; indeed, the security 
schemes defined in [2] are based on the intractability of this problem. Note that 
in our scheme Irina does not verify that the numbers Ci, i = 1, ... ,1, for which 
she is supposed to compute Legendre symbols are valid products of the integers 
Uj, j = l,...,k, used to construct the public key (indeed, such a verification 
would be infeasible). Thus, the attacker can force Irina to compute the Legen- 
dre symbol modulo p of any integer C. However, we believe that identifying the 
prime number p from the values of Legendre symbols modulo p of integers is 
completely infeasible. 

Of course the attacker is able to compute 




for any C as well, but the same arguments as above apply to this as well. 

As one of the advantages of our scheme we note that it is an honest verifier 
zero-knowledge scheme. That is, an honest verifier, who uses only “legimate” 
challenges Ci, i.e., challenges of the form 

k 

a = (modM), 0 < Q < M - 1, 

i=i 

i = 1 , . . . , 1 , does not obtain any new information from the prover. 

Finally, one could successfully attack this scheme by factoring either M or fin- 
ding the representation of Ci as a product of powers of Oj. That is, by finding 
representations 

k 

Ci = Y]_aj'^ (modM), i = l,...,l, 
i=i 

with integer Xij. However, it is easy to see that the latter problem is not easier 
than the discrete logarithm problem. Indeed, even ii a\, . . . ,Ok belong to a cyclic 
group Q modulo M and even if representations aj = g‘^^ (mod M), j = 1, . . . ,1, 
are known, where g is a generator of Q, then finding a representation 

k 

C= = g^Cl+.-OOkdk 

i=i 



(mod M) 




An Extremely Small and Efficient Identification Scheme 



383 



is no easier than the general discrete logarithm problem modulo M. However, it 
has been shown in [9] that the discrete logarithm problem modulo a composite 
M = pr (or even the possibly easier problem of breaking the Diffie-Hellman 
scheme) is as hard as factoring M ; see also [4] . In particular, the prime numbers 
p and r should be selected to avoid the all known “short-cuts” in the integer 
factorization of M = pr and in solving the discrete logarithm problem modulo 
M. Some conditions of this kind have been described in [9]. 

4 Possible Modifications 

Instead of using quadratic characters one can use characters of higher orders, for 
example bi-quadratic characters. In this case a smaller value of I can be selected 
for the verification procedure, thus reducing the number of bits exchanged. For 
example, using bi-quadratic characters, one can use a value of I that is twice as 
small in order to provide the same level of security. More generally, characters 
of order d reduce this value by approximately d/2 times. On the other hand, the 
computational cost of computing higher order characters grows rather quickly 
with d. Nevertheless, our preliminary computational experiments have confirmed 
that bi-quadratic characters can be incorporated rather efficiently in this scheme. 

Another possible modification may help to hide the values 'di, i = 1,. . . ,1. In 
order to do so, Irina and Victor select some large integer weights Wi, i = 1, . . . ,1, 
(cooperatively, say each of them provides half of the bits of each element ) . Then 
Irina sends the sum W = diWi Diwi which can be verified by Victor. 

However finding the values of Di, ... ,'di from the value of W is equivalent to 
the knapsack problem which is known to be NP-complete. In fact, there is no 
need to select the weights Wi, i = 1, ... ,1, for each round. They can be some 
initially agreed upon functions of di, i = 1,. . . ,1. Moreover, if I is too small to 
guarantee the security of the knapsack problem, then Irina and Victor may use 
more weights Wi, i = 1, . . . , L, with some L > I and compute the sum 

W = Hi(i?i, . . .,di)wi -I- . . . -b Bridi,. . .,di)wL 

where Bi, i = 1, . . . , L, are some Boolean functions of I variables. Probably one 
can even use Bi{'di, ... ,di) = di for i = 1, ... ,1. 
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Abstract. We propose an electronic auction scheme satisfying that (i) 
a group of colluding bidders cannot control the contract price arbitrarily, 
(ii) all prices of bidders except the winner are never revealed to anyone 
(even to the auction house), and (iii) only the auction house recognizes 
the winner’s identity, while the other losers can verify the fact that the 
winner belongs to the advanced registered group. 

Our scheme does not rely on an anonymous channel nor a trusted third 
center. Our system can be implemented only with the public-key tech- 
nology and cryptographic hash functions and all bidders can verify the 
validity of process for determining a winner via a public bulletin board. 
To achieve stronger anonymity of the winner, we develop a new variant 
of convertible undeniable group signatures. In our designed signature 
scheme, the convertibility has two phases: one is convertible from on- 
line to off-line in verification-stage, and the other is convertible from 
individual to group. 

Key words: electronie auction, anonymous bidding, bid rigging, bid- 

der’s privacy, non-repudiation, undeniable signature, group signature, 
bulletin board 



1 Introduction 

A digital auction scheme is viewed as a set of electronic protocols which allow 
a collection of bidders to buy a thing at an auction with the low price as pos- 
sible, while a seller puts a thing up for auction and wants the bidders to buy 
its own exhibit with the highest price possible. With the use of recent develop- 
ment public-key cryptographic techniques, we propose a digital auction scheme 
satisfying the following requirements. 
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Secrecy of bidding price: 

All bidding prices except the contract price are never revealed to anybody 
including the auctioneer. 

Validity of the successful bid: 

The price of the successful bid is the highest one among all bidding prices. 

Fairness: 

No bidder can tender with an advantageous condition than the other bidders. 

Anonymity of the winner: 

Only the auction house recognizes the winner’s identity, while the other 
losers can verify the fact that the winner belongs to the advanced registered 
group. 

Our main contribution of this paper is that our scheme can be implemented 
only with a bulletin board, which is a broadcast channel with memory that 
can be observed and read by all parties (e.g. the WEB), and does not require 
anonymous channels nor trusted third authorities. 



1.1 Overview of Our Approach 

The base approach of our scheme is a bidding down strategy adding to a sealed- 
bid auction: 

Bidding: Each bidder j chooses a bidding price Wk from a set of published m 
prices {w\,W 2 , . ■ • , Wm) and encrypts his bidding with his private- key to get 
his sealed bid Ej{wk)- The bidder publishes £j{wk)- 
Auction: The auctioneer sets the highest price Wm and asks each bidder if it 
tenders with the price via a bulletin board. For a price Wk, the bidder with 
Wk reveals the decrypted Wk for his sealed bid £j{wk)- 

A problem of this basic scheme is that a cheating bidder does not open his 
sealed bid w even though the auctioneer asks whether the content of sealed bid 
on the bulletin board is the (current) highest price w. This bidder’s cheating 
could break the validity of the successful bid: the price of the successful bid 
must be the highest among all bidding prices. 

We overcome this problem of the invalidity of the successful bid by adding 
non-repudiation mechanisms to the basic scheme. For achieving non-repudiation 
mechanisms our proposed scheme adapts undeniable signatures [CvA89,Cha90]. 
Our novel modification of undeniable scheme is to use the undeniable signatures 
without signed messages. 



1.2 Related Work 

Electronic auction protocols are already executed on the WEB [ebay, Yah], and 
various protocols are investigated in cryptographic literatures [Yam88,IMI94, 
IM95,NWFK95,FR96,Kud98,KN98,HTK98,KHT98,SKFN98]. 
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The similar type of digital auction discussed in this paper was investigated in 
[IMI94,IM95,NWFK95,Kud98,KN98,HTK98,KHT98,SKFN98], which are diffe- 
rent from ours with respect not only to each achieved goal but also to applied 
cryptographic assumptions and required physical tools. 

Imamura, Matsumoto, and Imai [IMI94] initiated the approach for fighting 
bid-rigging by using anonymous bidding. The scheme proposed in [NWFK95] 
furthermore considered both the issue of bid-rigging and the protection of bid- 
ders’ privacy by assuming the existence of anonymous channels. We note that, 
there are some attempts to implement anonymous channels [RD97,SGR97], ho- 
wever, anonymous channels are not yet considered as matured tools as public- key 
based secret message transfer. 

Kudo [Kud98] proposed an electronic sealed-bid auction protocol with public 
key cryptography. In this scheme, each bidder’s selection is not directly revea- 
led to anybody thanks to the pseudo-identity of bidders. Note that this scheme 
assumes that the registration authorities are distributed. Sako [Sak99] presen- 
ted a bulletin-board based action protocol that hides losing bids. This is very 
practical, however, it still requires the trust of the third authority (auctioneer). 

The scheme by Kikuchi and Nakanishi [KN98] and ours protect bidder privacy 
with cryptographic techniques, which require a computational assumption but no 
physical one. A difference from ours is that Kikuchi-Nakanishi’s scheme [KN98] 
uses the multiparty protocol based on Shamir’s secret sharing scheme for distri- 
buting bidder’s identity to multiple auction-houses. 

We should note that our proposed scheme requires no anonymous channels 
nor trusted third authorities, and we can realize our system over the WEB as a 
candidate of an implementable bulletin board only with the current public-key 
technology. 



1.3 Our Contribution 

The scheme by Nakanishi et al. [NWFK95] applied undeniable signature pro- 
tocols to non-repudiation stage against bidder’s cheating of opening the sealed 
bid [CvA89,Cha90]. 



Our Previous Scheme. We designed an electronic auction scheme [SM99] 
satisfying that (i) a group of colluding bidders cannot control the contract price 
arbitrarily, (ii) all prices of bidders except the winner are never revealed to 
anyone (even to the auction house). 

Our previous scheme [SM99] uses an improved undeniable signature scheme 
developed by Michels and Stadler [MiSt97]. Their undeniable signature scheme 
is efficient, and the confirmation stage and the disavowal stage are done in a 
single protocol. Furthermore, their schemes are based on the discrete logarithm 
problem, that can be implemented over the elliptic curve crypto-system [Kob87, 
Mil85]. Furthermore, we use the undeniable signatures without signed messages, 
similar to the bit-commitment for sealed bids [SS99]. 
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The Importance of Hiding the Winner’s Identity. Our previous 
scheme [SM99] reveals the winner’s identity for universal verifiability of the 
winning bid. However, it is important to hide the winner’s identity from the 
other losers (except the auctioneer) for fighting against bid-rigging that could 
be coerced by a black-party. 

Such a coercer would ask the bidders to submit his desired price and try to 
control the winning price. If the winner does not follow the coercer’s request, and 
the winner’s identity is disclosed, the coercer could take revenge on the winner. 

While, in electronic voting schemes, fighting against coercion was already 
taken by the approach of receipt-freeness of voting [BT97a,SK95,Oka97], no 
previous work on digital auction systems discusses the winner’s anonymity and 
the coercer’s bid-rigging. 

Our New Scheme. In this paper, we improve our previous scheme to achieve 
stronger anonymity of the winner: only the auction house recognizes the winner’s 
identity, while the other losers can verify the fact that the winner belongs to the 
advanced registered group. 

To this end, we develop a new variant of convertible undeniable group sig- 
natures. In our designed signature schemes, the convertibility has two phases: 
one is convertible from on-line to off-line in verification-stage, and the other is 
convertible from individual to group. 

The idea of group signatures was introduced in [CvH91], which allows indivi- 
dual members of the group to sign messages on behalf of the group while remai- 
ning anonymous. We should note that our applied signature schemes is undenia- 
ble, i.e. the verification is done via on-line manner. In fact, our first scheme uses 
the Michels-Stadler’s convertible undeniable signature scheme [MiSt97], which 
is convertible from on-line verification to off-line verification. 

Our further requirement of the undeniable signature scheme is that the re- 
lease of certain secret information by the signer (the winner) makes the signature 
convertible to off-line verification while preserving the group anonymity. Particu- 
larly, the verification by the auctioneer must be done with the winner’s identity. 

None of the previous convertible signature schemes [MiSt97,KPW96] satis- 
fies our full requirements. Then, we originally develop our desired variant of 
convertible signatures. 

2 Our New Convertible Group Signature Scheme 

In this section, we describe the notations and then present our new convertible 
group signature scheme linked to the undeniable signature. 

2.1 Notations 

Let p and q be large primes which satisfy p = 2q-\- 1, a be a generator of a 
subgroup of order q, and "H be a one-way hash function. Zq denotes the ring of 
numbers modulus q and Z* denotes the multiplicative group modulus q. Now, 
p, q, a and H are published as system parameters. 
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2.2 Protocols 



The signer, Alice, has two secrets xi,X2 G Z* and the corresponding keys, j/i = 
0^1 (mod p) and p2 = a®^(mod p). Now, yi is known to only a manager, Bob 
while t/2 is published. Alice also has a group key xq known to only members in 
her group. The public key Pq corresponding to xq is published, where Pq = 

fyXG (mod p). 

In this situation, Alice generates her convertible undeniable signature and 
convertible group signature as follows. 

For a message m, Alice selects two random numbers k, p G Z* and computes 
both r = a* (mod p) and A = a'' (mod p). Then Alice calculates 



f = (mod p) 

A = A^^ (mod p) 
c = H{m, r, A, A) 
s = k — cx\ (mod q) 
^ fp + rk 

XG + 'H{m, r, A) 



(mod q). 



Let (f, s) be the convertible undeniable signature and (f, t) be the convertible 
group signature. Nobody except Alice can verify both signatures without the 
help of Alice since r is never opened, and know the content of message by our 
approach proposed in [SM99] (we consider that the undeniable signature is still 
the ciphertext for the bid until it is converted to the standard digital signature). 
Alice sends (f. A, A, s, t) to Bob, and publishes (f, s, t). 

When Alice sends the secret X2 to Bob, Bob with yi can convert the un- 
deniable signature to the standard digital signature. Firstly, Bob computes 
A = A“^^(mod p) and then checks the validity of signature via the verification 
formula: 

f = (mod p). 



Furthermore, the group signature is converted to the standard digital signa- 
ture when Bob publishes r = (mod p). Everyone can check the validity via 
the following verification formula: 

(mod p) 



The direct application of this signature scheme to our auction system is 
vulnerable to an attack allowing the auctioneer to get the bidding price of any 
bidder, if the number of the candidates of submitted prices is few. Then, we revise 
the signature scheme above to achieve a kind of “semantic security” [GM84] (See 
Section 5). 
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3 Overview 

3.1 Model 

Our scheme has the following participants and a tool. 

Auctioneer: The auctioneer calls sellers together and holds an auction. Then, it 
manages a bulletin board and writes various information on the board and 
presides the process of the auction. 

Registration Authority: The registration authority registers bidders as the parti- 
cipants of auction and issues the certificate of bidder’s public key. 

Seller: The seller puts a thing up for auction and wants the bidders to buy its 
own exhibit with the high price as possible. 

Bidders: The bidders tender for an article on exhibition and compete each other. 
Each bidder wants to buy a thing at an auction with the low price as possible. 

Bulletin Board: Anybody can see all data filled in the bulletin board. Through 
all data on the bulletin board, the bidders and seller verify the correctness 
of process in the auction and the validity of determining a successful bidder. 



3.2 Basic Protocol 

Our scheme consists of the following basic protocols. 

Registration: The registration authority issues the key certificate of each bid- 
der. 

Bidding: Each bidder chooses a bidding price Wk from a set of m prices 
{wi,W 2 , ■ ■ ■ ,Wjn) and then makes both a convertible undeniable signature 
US{wk) on Wk and a convertible group signature GS{wk), where w\ < W 2 < 
... < Wm- Then, the bidder publishes US{wk) and GS{wk) and the cer- 
tificate without attaching the message Wk- Here, US{wk) and GS{wk) are 
considerable as ciphertexts of Wk- 

Auction: The auctioneer sets the highest price Wm and asks each bidder if it 
tenders with the price via a bulletin board. Each bidder whose bidding price 
is not Wm must show that US{wk) is not a signature on Wm via the repu- 
diation protocol, without revealing it own bidding price Wk- The auctioneer 
lowers the price by degrees until a successful bidder appears, as verifying 
the validity of bidders’ repudiation at every price. For a price Wk, the bidder 
with Wk must show that its own US{wk) is the signature on Wk via the con- 
firmation protocol. The auctioneer accepts the bidder as a successful bidder 
if and only if the proof is valid. The auctioneer converts QS{wk) to the stan- 
dard digital signature verifiable to anyone by using the information released 
in the phase of converting the undeniable signature to the ordinary digital 
signature. 

If the repudiation protocol is omitted, a group of colluding bidders can control 
the contract price by abusing the denial of bidding. Nakanishi et al. [NWFK95] 
discussed this problem and produced a solution using the concept of undeniable 
signatures (See also our paper [SM99] describing the brief note on this). 
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The importance in this protocol is that the identity of winner is never publis- 
hed on the bulletin board. Each bidder except the auctioneer checks the validity 
of successful bidding with QS{wk) converted to the verifiable signature. This 
verification requires the public key of winner’s group including no information 
linked to the winner, i.e. the public key of the winner which is known to only 
the auctioneer. 



3.3 Requirements 

Our first scheme satisfies the following requirements. 

Secrecy of bidding price: 

All bidding prices except the contract price are not revealed to anybody 
including the auctioneer. 

Validity of the successful bid: 

The price of the successful bid is the highest among all bidding prices. 

Fairness: 

No bidder can tender with an advantageous condition than the other bidders. 
Moreover, our improved scheme satisfies the following additional requirement. 

Anonymity of the winner: 

Only the auction house recognizes the winner’s identity, while the other 
losers can verify the fact that the winner belongs to the advanced registered 
group. 

4 An Anonymous Electronic Bidding Scheme 

We propose a new auction protocol such that only the auction house recognizes 
the winner’s identity, whereas the other losers can verify the fact that the winner 
exists in the advanced registered group. 



[Registration] 

The registration authority issues the secret key Sq to each member of the re- 
gistered group ^ via a secure channel. Let Sq be the group secret key and 
Pg = (mod p) be its corresponding public- key. 

Also let Sa be bidder A’s individual private key and Pa = (mod p) be 
its corresponding A’s individual public- key, and Cert a is its certificate. 

[Bidding Protocol] 

Step.l: The auctioneer publishes m kinds of bidding prices. Let {w\,W2, ■ ■ ■ , Wm) 
be a set of bidding prices, where Wi < W2 < ■ ■ ■ < Wm- 



^ The number of groups can be multiple. 
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Table 1. Released and published information 



Bidding stage 



I Repudiation I Opening stage! 



To Auctioneer 
On a bulletin-board 



Pa, {Pa, Cert A, h,f, A, A, a, t)| ^ 



Step. 2: Firstly, the bidder A chooses its own bidding price from (wi ,W 2 , ■ ■ ■ , Wm)- 
Then the bidder A generates three random numbers x, fc, /r G Z* and 
computes 

h = (mod p) 

r = (mod p) 

f = (mod p) 

X = (mod p) 

A = (mod p) 

c = 'H{wk,f,XA) 
a = k — cSa ( mod q) . 

Then, the bidder A also calculates a group signature: 

fp + rk / , ^ 

^ = TTT? 

XG +n[Wk,r,X) 

and sends {PA,CertA,h,f,X,X,u,t) to the auctioneer. Remark that Wk 
should not be transferred at this step. 

Step. 3: The auctioneer writes (h,f,a,t) in the column of the concerned group 
on the bulletin board if and only if the validity of certificate Cert a is 
accepted. 

Step. 4: The auctioneer closes the request of bidding at a suitable time. 

[Opening Protocol] 

Step.l: The auctioneer sets and publishes the highest price Wm- 
Step. 2: The bidder who tendered with the price Wm shows the validity of its own 
bidding via the confirmation protocol proving the equality between the 
encrypted Wk and the called price Wm described in appendix A. If nobody 
offered its bid with w„i, each bidder must show that its own bidding price 
is not Wm, i-e. (f, s) is not a signature on Wm, by the repudiation protocol, 
described in appendix A, with the following parameters: 

y = h 
z = f 
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After checking the validity of bidders’ repudiation, the auctioneer sets 
the second highest price Wm-i and repeats the above process until any 
successful bidder gives its name. 

Step. 3: For a price Wk, the bidder j who puts in its bid with Wk shows the 
auctioneer the validity of bidding by the confirmation protocol. The auc- 
tioneer considers the bidder as a candidate if and only if the check is 
successfully accepted. The bidder A is accepted as the successful bidder, 
when there is only a candidate. 

In this case, the winner A should convert its locked group signature to the 
group signature verifiable to anyone. That is done by releasing its secret 
X to the auctioneer, which can also convert the undeniable signature of 
the winner to the digital signature. The process is as follows. 

[3a]: The bidder A sends x to the auctioneer. 

[3b] : The auctioneer verifies the validity of the (individual) signature by 
the following formula: 

f (mod p) 

with the public-key Pa- 

Furthermore, the auctioneer computes r = (mod p) and veri- 
fies the group signature: 

[3c]: If both the individual signature and the group signature are correct, 
the auctioneer publishes (r, A). 

[3d]: All bidders can verify the validity of the winning price with published 
data (A,r,f,t,Wfe,PG)- 



AV" = (mod p) 

5 A Secrecy Problem on Bidding Price and an Improved 
Signatnre Scheme 



5.1 Disclosure of Bidding Prices 

If the number of the candidates of submitted prices is few, our scheme described 
in section 4 might be vulnerable to the attack allowing the auctioneer to know 
the bidding price of any bidder. This attack is due to the similar problem of the 
deterministic (public-key) encryption scheme [GM84]: for all prices Wi G W = 
{wi,W 2 , . . ■ , Wm} and the bidding price Wk, the auctioneer searches Wi satisfying 
the verification formula one by one. 
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The concrete attacking algorithm is as follows. 

1. For a price Wi, the auctioneer computes R{wi) with the data received from 
the target of bidder as follows. 

R{wi) = (mod p) 

= (mod p) 

Note that R{wi) = r if Wi equals Wk- 

2. For R{wi) obtained at step 1, the auctioneer verifies the correspondence in 
the following formula. 

(mod p) 

If the equality is not accepted, set another price Wj{^ Wi) and go back to 
step 1. Otherwise, the auctioneer can know that Wi is the bidding price Wk 
of the concerned bidder. 

Recall we have a discussion similar to the above when arguing the semantic 
security of public key encryptions. Suppose that we have a message space M = 
{mi, m 2 } and an encryption function Enc. Here, Enc is said to be polynomially 
secure, if no passive adversary can select mi as the corresponding message with 
probability significantly greater than A, given the encrypted message Enc{mi) 
(For the definition of polynomially secure, see [GM84,MvOV97] ). 

The complexity of finding Wi = Wk via the above algorithm depends on the 
size of the message space. If the space is sufficiently large, the secrecy against 
the above attack is enhanced while the efficiency of opening phase is disserved. 
Of course, the auctioneer can access the bidding price easily when the number 
of elements in the message space is small. 

In the next section, we present an improved protocol to enhance the security 
of proposed scheme up to the polynomially secure one but then it is heuristic. 

5.2 An Improved Scheme 

We improve the original scheme described in the section 4 against the one-by-one 
attack. Firstly, each parameter in the step. 2 of bidding protocol is changed as 
follows. 



t = 



Original Protocol 

f = r^ (mod p) 
a = k — cSa (mod q) 
f/i + rk 



Sg + 'H{wk,f,\) 



(mod q) 



Improved Protocol 

r = (r'’)® (mod p) 
a = rk — cSa (mod q) 
^ fpL + rk 

SG + 'H{wk,f,r, A) 



(mod q) 



Secondly, we describe the modified process of step. 3 in the opening protocol 
below. 
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Table 2. Knowledge known to the auctioneer and public data in the improved scheme 





Bidding stage 


Repudiation 


Opening stage 


To auctioneer 


Pa, {Pa, Cert A, h,r, A, A, a, t) 


— 


r, X 


On a bulletin board 


Pa, {h,r,a, t) 




X,r 



[3a’]: The bidder A sends (x,r) to the auctioneer. 

[3b’j: The auctioneer verifies the validity of the (individual) signature by the 
following formula: 

f = (r'’)^(mod p) 
r = 

with the public-key Pa ■ Then, the auctioneer verifies the correspondence 
of A = A’^(mod p) and checks the validity of the group signature: 

VP = 

[3c’j: If both the individual signature and the group signature are correct, the 
auctioneer publishes (r, A). 

[3d’j: All bidders can verify the validity of the winning price with published 
data (A,r,f,t,Wk,PG)- 

(mod p) 



6 Discussion 

6.1 Correctness 

Our scheme satisfies all requirements described in 3.3. 

Secrecy of bidding price: 

All bidding price of losers are never revealed to anybody including the auc- 
tioneer since they have no information on a secret x. 

Validity of the successful bid: 

Anybody can verify the validity of determining the successful bid with the 
additional knowledge (A, r) published on the bulletin board at Opening pro- 
tocol. 

Fairness: 

Nobody can tender with an advantageous condition than the other bidders 
(even via bid rigging and collusion with the auctioneer) since the content of 
bid is only known to the concerned bidder. 

Anonymity of the winner: 

Due to our new convertible undeniable group signature, knowledge related 
to the winner is never revealed to anyone but the auctioneer, while the other 
losers can verify both the validity of the successful bid and the fact that the 
winner belongs to the advanced registered group. 
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With respect to the anonymity of winner, we discuss another point: 

Information related to the identity of each bid- 
der is never opened in our scheme. 

It is not desirable that the specific information with each bidder, which is used 
for the verification of the validity of bidding such as their public keys, is published 
on a bulletin board. Suppose that you just notice the existence of person who 
often becomes the successful bidder with the expensive price. It is enough to 
dampen your incentive to participate in the auction. Here, introducing the idea 
of pseudonym is no sense as a solution to this problem, since it can represent 
the personality of owner for an auction, but the name/identity of owner. 

In our scheme, the specific information on each bidders is never opened to 
preclude the control of market by the abuse of publishing it. 



6.2 Security against One-by-One Attack 

We discuss security of the improved scheme against one-by-one attack. 

Firstly, the auctioneer who wants to know the bidding price of bidder A via 
the attack computes R{wi) as follows. 

R{wi) = (mod p) 

= (jnod p) 

Here, R{wi) = r^ if Wi is the bidding price Wk. Then, the improved scheme is 
still vulnerable to the one-by-one attack, if the auctioneer can check the corre- 
spondence of the following verification formula: 

= yR{w^) (mod p) 

As an input into the hash function R, r is required for the above formula. 
However, it is computationally infeasible that the auctioneer can compute r 
with no knowledge of x, given r = (r’’)^(mod p). 

We analyze this problem from another viewpoint. 

Algorithm X can output r in expected polynomial time, 
given a prime p and f = r’’(mod p). 

If there exists the algorithm X, the auctioneer might be able to access Wk by 
checking the correspondence of the verification formula with candidates compu- 
ted from R{wi) via the algorithm X. 

It is considerable that the improved scheme is computationally secure against 
the one-by-one attack since there exists no such algorithm as far as we know. 
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7 Concluding Remarks 

We have developed a new variant of convertible undeniable group signatures 
for achieving stronger anonymity of the winner in anonymous electronic bidding 
protocols. 

However, the security of proposed signature scheme is heuristic and no formal 
argument on the security is given. Then, the next step of our research is to 
design such a provably secure scheme. Also we shall consider separability of 
group signature schemes remarked by Camenisch and Michels [CM99]. 

References 

BCD90. J. Boyar, D. Chaum, and I. Damgard, “Convertible undeniable signatures” 
Advances in Cryptology - CRYPTO ’90, LNCS 537, pp. 189-205, 1990. 

BT97a. J. Benaloh and D. Tuinstra. “Receipt-free secret-ballot elections,” Proc. STOC 
’94, pages 544-553. 

ChaSl. D. Chaum, “Untraceable electronic mail, return addresses, and digital pseud- 
onyms,” Communications of ACM, Vol. 24, No. 2, pp. 84-88, 1981. 

Cha90. D. Chaum, “Zero-knowledge undeniable signatures,” Advances in Cryptology 
- EUROCRYPT ’90, LNCS 473, pp. 458-464, 1990. 

CvA89. D. Chaum and H. van Antwerpen, “Undeniable Signatures,” Advances in 
Cryptology - CRYPTO ’89, LNCS 435, pp. 212-216, 1989. 

CFSY96. R. Cramer, M. Franklin, B. Schoenmakers, and M. Yung, “Multi-authority 
secret-ballot elections with linear work,” Advances in Cryptology - EUROCRYPT 
’96, pp.72-83, 1996. 

CvH91. D. Chaum and E. van Heyst, “Group signatures,” Advances in Cryptology - 
Eurocrypt’91, LNCS 547. 

CM99. J. Camenisch and M. Michels, “Separability and efficiency for generic group 
signature schemes,” Proc. CRYPTO’99, LNCS 1666. 

Dam96. I. Damgard, “New convertible undeniable signature schemes,” Advances in 
Cryptology - EUROCRYPT ’96, LNCS 1070, pp. 372-386, 1996. 
ebay. eBay Incorporation, http://pages.ebay.com/ 

FIPS95. FIPS 180-1, “Secure hash standard,” Federal Information Processing Stan- 
dards Publication 180, U.S. Department of Commerce/N.I.S.T., National Technical 
Information Service, 1993. 

FR95. M. K. Franklin and M. K. Reiter, “ Verifiable signature sharing,” Advances in 
Cryptology - EUROCRYPT ’95, LNCS 921, pp. 50-63, 1995. 

FR96. M. K. Franklin and M. K. Reiter, “The design and implementation of a secure 
auction service,” IEEE Transactions on Software Engineering, 22(5), pp. 302-312, 
1996. 

GKR97. R. Gennaro, H. Krawczyk, and T. Rabin, “RSA-based undeniable signatures,” 
Advances in Cryptology - CRYPTO ’97, LNCS 1294, pp. 132-149, 1997. 

GM84. S. Goldwasser and S. Micali, “Probabilistic encryption” JCSS,28 (1984), 
HTK98. M. Harkavy, J. D. Tygar, and H. Kikuchi, “Electronic auctions with private 
bids,” In Third USENIX Workshop on Electronic Commerce Proceedings, pp. 61-74, 
1998. 

IM95. S. Inoue and T. Matsumoto, “A note on anonymous electronic auction,” Tech- 
nical Report of lEICE, ISEC95-5, 1995 (in Japanese). 




398 K. Sakurai and S. Miyazaki 



IMI94. Y. Imamura, T. Matsumoto, and H. Imai, ^‘Electronic anonymous bidding sche- 
mes," The 1994 Symposium on Cryptography and Information Security, SCIS94-11B, 
1994 (in Japanese). 

KHT98. H. Kikuchi, M. Harkavy, and J. D. Tygar, “Multi-round anonymous auction 
protocols,” In Proceedings of the First IEEE Workshop on Dependable and Real-Time 
E-Commerce Systems, pp. 62-69, 1998. 

KN98. H. Kikuchi and S. Nakanishi, “ Registration- free protocol for anonymous auc- 
tion," Proceedings of Computer Security Symposium ’98, pp. 243-248, 1998 (in Ja- 
panese) . 

Kob87. N. Koblitz, “Elliptic curve cryptosystems," Mathematics of Computation, 48, 
pp. 203-209, 1987. 

KPW96. S.J.Kim, S.J.Park, and D.H.Won, “Convertible group signatures,” Proc. 
ASIACRYPT’96, LNCS 1163. 

Kud98. M. Kudo, “Seeure electronic sealed-bid auction protocol with public key eryp- 
tography," lEICE Trans. Fundamentals, Vol. E81-A(l), pp. 20-27, January 1998. 

Mil85. V. S. Miller, “Use of elliptic curves in cryptography," Advances in Cryptology 
- CRYPTO ’85, LNCS 218, pp. 417-426, 1985. 

MPH96. M. Michels, H. Petersen, and P. Horster, “Breaking and repairing a conver- 
tible undeniable signature scheme," Proc. 3rd ACM Conference on Computer and 
Communications Security, pp. 148-152, 1996. 

MiSt97. M. Michels and M. Stadler, “Efficient convertible undeniable signature sche- 
mes," Proc. 4th Annual Workshop on Selected Areas in Cryptography, 1997. 
http: //www. geocities . com/CapeCanaveral/Lab/8983/publications .htm 

MvOV97. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, “HANDBOOK of 
APPLIED CRYPTOGRAPHY,” CRC Press, 1997. 

NWFK95. T. Nakanishi, H. Watanabe, T. Fujiwara, and T. Kasami, “An anonymous 
bidding protocol using undeniable signature," The 1995 Symposium on Cryptography 
and Information Security, SCIS95-B1.4, 1995 (in Japanese). 

NR94. Niemi and Renvall, ”How to prevent buying of votes in computer elections,” 
Proc. Asiacrypt’94. 

Oka97. T.Okamoto, ’’Receipt-free elections voting schemes for large scale elections,” 
Proc. Security Protocol’97. 

Pet97. H. Petersen, “How to convert any digital signature scheme into a group signa- 
ture scheme," Security Protocols, LNCS 1361, pp. 178-190, 1997. 

RD97. M. K. Reiter and A. D. Rubin, “Crowds: anonymity for web transaetions," The 
ACM Transactions on Information and System Security, Vol. 1, Number 1, November 
1998. 

Riv92. R. L. Rivest, “The MD5 message-digest algorithm," Internet Request for Com- 
ments 1321, April 1992. 

Sak99. K. Sako, “An auction protocol which hides bids of losers," Proc. Public Key 
Cryptography, LNCS 1751 (2000): a previous version is “Universally verifiable aue- 
tion protoeol which hides losing bids," Proceedings of the 1999 Symposium on Cryp- 
tography and Information Security, pp. 35-39, 1999 (in Japanese). 

SK95. Sako and Kilian, ’’Receipt-Free Mix-type voting scheme,” Proc. Eurocrypt’95. 

SKFN98. K. Seo, H. Kikuchi, A. Fujioka, and S. Nakanishi, “Evaluation of anonymous 
channel in the internet,” The 1998 Symposium on Cryptography and Information 
Security, SCIS98-3.3.E, 1998 (in Japanese). 

SGR97. P. F. Syverson, D. M. Goldschlag, and M. G. Reed, “Anonymous connections 
and Onion routing," IEEE Symposium on Security and Privacy, pp. 44-54, 1997. 




An Anonymous Electronic Bidding Protocol 399 



SM99. K. Sakurai and S. Miyazaki, “ “A bulletin-board based digital auetion seheme 
with bidding down strategy, ” Proc. of 1999 International Workshop on Cryptographic 
Techniques and E-Commerce, M.Blum and C.H.Lee Edi., pp. 180-187. 

SS99. S. G. Stubblebine and P. F. Syverson, “Fair on-line auctions without speeial 
trusted parties,” Proceedings of Financial Cryptography, 1999, LNCS 1648. 

Yah. Auctions of YAHOO, http://auctions.yahoo.com/. 

Yam88. S. Yamamura, “A bidding protocol on a network,” The Proceedings of the 1988 
Workshop on Cryptography and Information Security, pp. 41-50, 1988 (in Japanese). 



A Proving the Equality /Inequality of Two Discrete 
Logarithms [MiSt97] 

We describe here the Mitchels-Stadler’s protocol of proving the equality/inequality of 
two discrete logarithms. 

Now, the prover has a secret x satisfying that a = /?“^(mod p) and y = a“'(mod p), 
where a and fd are generators of a subgroup of order q. In this paper, proving the 
equality (log,g 2 = log,,^ y) is used as the confirmation of bidding, and the inequality 
(log^ 2 log,,, y) is as showing the validity of negating the bid. 

Step.l: The verifier chooses u,v a Z* randomly and sends a = a“i/“ (mod p) to the 
prover. 

Step. 2: The prover generates random numbers k,k,w € Z* and computes Tq, = a^{ mod 
p), rp = /?*^(mod p), fa = a*^(mod p), fp = /3*^(mod p). Then, the prover 
sends (ra,rp,fa,fp,w) to the verifier. 

Step. 3: The verifier sends {u, v) to the prover. 

Step. 4: The prover sends (s, s) to the verifier only and only if a = oFy'^ (mod p). 

s = k — {v w)x (mod q) 
s — k — {v -\- w)k (mod q) 

Step. 5: The verifier checks whether: 

(jjiod p) 

+ ('jjjQjJ p-J 

= fp (mod p) 

and finally verifies: 



(Confirmation) : jd ’’ = rp (mod p) 
(Repudiation) : fd" rp (mod p) 
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Abstract. This paper proposes a modified signcryption scheme that 
provides signer anonymity. In addition, an efficient 2-pass authentica- 
tion and key agreement protocol that uses the proposed signcryption 
scheme is presented for the mobile communication air-interface. The use 
of the modified scheme in the impfementation of the ASPeCT protocof 
is demonstrated to generate a fower computationaf load than other me- 
thods. A modified ASPeCT protocol, which satisfies forward secrecy, is 
also proposed. 



1 Introduction 

Public key cryptography is being utilized in the implementation of security ser- 
vices for future mobile communications due to its key management facility and 
variety of security services. When designing an authentication and key agreement 
(hereinafter AKA) protocol, certain restrictions caused by mobile communica- 
tion environments must be taken into consideration. One of these is that a mobile 
user device has a limited computational capability compared to fixed networks. 
Accordingly, a smaller computational load for the mobile user device is desirable. 
Moreover, the bandwidth between a mobile user and a fixed network is generally 
expensive and limited, therefore, the length of the exchanged messages needs to 
be kept as short as possible. 

Several AKA protocols [1,2, 3, 4] for mobile communications currently employ 
the MSR (modular square root) cryptosystem [5] for a smaller computational 
load on the mobile side since the MSR cryptosystem only requires one modular 
multiplication by the mobile user device. However, the MSR cryptosystem can 
not be converted into an efficient ECC (elliptic curve cryptography) system [6, 
7,8], which is a disadvantage from the perspective of the bandwidth. 

Other AKA protocols [9,10] use off-line computation to achieve prompt AKA 
protocol runs. These protocols adopt a cryptosystem based on a DLP (discrete 
logarithm problem) that can be easily converted to an ECDLP (elliptic curve 
discrete logarithm problem) . Even though these protocols involve more intensive 

* This work was supported by the Brain Korea 21 Project. 
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computations than a MSR cryptosystem, a mobile user can compute the most 
time consuming exponentiations prior to initiating an AKA protocol. However, 
despite such endeavors, the total computational load at the mobile user device 
can not be reduced in two particular cases; signature generation and public key 
encryption, or signature generation and Difhe-Hellman key exchange. 

A signcryption scheme [11,12,13,14] is a cryptographic method that invol- 
ves the functions of encryption and digital signature simultaneously. Such a 
scheme has fewer computations than those required by traditional signature- 
then-encryption and assumes that the signer and verifier have prior knowledge 
of the other’s public key. As a result, this type of scheme can not be employed 
with an AKA protocol using radio channels because user identity information, 
such as an identifier, public key, or user certificate, can not be sent over an air- 
interface due to the security requirement of user anonymity for AKA protocols 
in mobile communications [15]. 

This paper proposes a modified signcryption scheme suitable for mobile com- 
munications. The proposed signcryption scheme requires a slightly higher com- 
putational load than a conventional signcryption scheme [11], yet fewer computa- 
tions than a conventional signature-then-encryption scheme. In addition, an effi- 
cient 2-pass AKA protocol which uses the concept of signature-then-encryption 
is presented for a mobile communication air-interface. It is also demonstrated 
that use of the proposed signcryption scheme in the implementation of the AS- 
PeCT protocol produces a lower computational load than other methods. Plus, a 
modified ASPeCT protocol using the proposed signcryption scheme is presented 
which provides forward secrecy with only slightly more computation, however, 
the number of exponentiations on the mobile side remains unchanged. 



2 Proposal of Modified Signcryption Scheme 



The following notations are used to describe the protocols throughout this paper. 



P : 

q : 

g : 

IDe : 

RT(TS) : 
hash : 

KH : 
xe : 

Pe : 

Kmb : 

CertE : 

Re : 

Ek{x}(Dk{x}) : 

X II y : 



large prime number 

large prime factor of p — 1 

element of Zp* of order q 

identifier of entity E 

real time value (time stamp) 

one-way hash function 

keyed one-way hash function 

secret key of entity E 

public key of entity E 

common session key between M and B 

certificate of Pe 

random number generated by entity E 

symmetric encryption (decryption) of x using key K 

concatenation of x and y 
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2.1 Description of Proposal 

Fig. 1 describes the modified signcryption scheme. It is assumed that Alice has 
message m to send to Bob. Alice signcrypts it so that the effect is similar to 
signature-then-encryption . 



Alice [Signcryption] 


Bob [Unsigncryption] 


K = hash(PB'^* mod p) 


K = hash(T’‘® mod p) 


T = g'^* mod p 


Dk{c} = m r s 


r = KHx(m) 


^ T II RT II c ^ T ? = (Pa • g")" mod p 


s = ca/ (r + xa) mod q 


KHx(m) ? = r 


c = EK{m r s} 





Fig. 1. Modified signcryption scheme 



[Signcryption] 

1. Randomly choose rA Gr Zq* 

2. Compute encryption key K = hash(PB"^* mod p) and T = g*"* mod p 

3. Compute r = KHx(m), and s = rA/(r -f- xa) mod q which serve as signa- 
ture 

4. Encrypt r, s, and some other data using K 

5. Send T to Bob together with RT 1 1 c 

[U nsigncr ypt ion] 

1. Bob takes T from the received message and computes the decryption key 
K = hash(T’^'^ mod p) 

2. Decrypt the received message c using K to get m, r, and s 

3. Compute (Pa • mod p and compare with received T 

4. Compute KHx(m) and compare with decrypted r 

If necessary, Bob can then forward (m,r,s) to others, who will be convinced 
that it came originally from Alice by verifying 

K = (Pa • g“’)* mod p and r = KHK(m) (1) 



2.2 Security Features and Computational Load 

A new type of cryptographic primitive called signcryption was introduced in 
1997 by Zheng [11], which includes simultaneous message encryption and digi- 
tal signature. It involves fewer computations and has a lower communication 
overhead than conventional signature-then-encryption approaches. In Zheng’s 
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scheme, the unsigncryption (decryption and signature verification) requires the 
recipient’s private key, which can produce certain constraints in applications 
where signatures need to be validated by others. 

Bao and Deng [12] proposed a directly-verifiable signcryption scheme that 
has a higher computational load than Zheng’s scheme and yet can prevent a key 
recovery attack by a judge [16]. Bao and Deng’s signcryption scheme has been 
subsequently modified for specific applications [13,14]. However, despite its low 
communication overhead, small computational load, and suitability for mobile 
communications, this scheme can not be directly applied to mobile communica- 
tions because it does not satisfy the security requirement of signer anonymity. 

The first step of the unsigncryption procedure of the conventional signcryp- 
tion schemes in [11,12,13,14] includes the public key of the signer as follows. 

K = hash(PA • mod p (2) 

This means that the recipient can compute the decryption key if the public 
key of the signer is received in advance. However, in mobile communications the 
public key of the signer (the mobile user) needs to be encrypted to satisfy signer 
anonymity. 

In the proposed scheme in Fig. 1, the recipient can only generate the decryp- 
tion key with the received data (T) and his own secret key (xb) such that 

K = hash(T’^'^ mod p) (3) 

As a result, the public key of the signer can be encrypted using the key. 
Therefore, the proposed scheme can ensure the anonymity of the signer(mobile 
user). 

The number of modular exponentiations for the proposed signcryption sche- 
me can be calculated based on Fig. 1. Table 1 shows a comparison of the compu- 
tational loads of the various methods. The proposed scheme involves the same 
number of computations as the other schemes except for Zheng’s scheme, howe- 
ver, this scheme has a weakness related to key recovery attack [16]. 



Table 1. Comparison of number of exponentiations 



Operation 


Proposed 


Zheng’s 


Bao and Deng’s 


DSA signature + 




scheme 


scheme 


scheme 


ElGamal encryption 


Signcryption 


2 


1 


2 


1 -f 2 


U nsigncryption 


3 


2 


3 


1 + 2 
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3 2-Pass AKA Protocol 

3.1 Description of Protocol 

The concept of signcryption was adopted to reduce the computational load in 
a 2-pass AKA protocol [17]. Fig. 2 presents a flow diagram of the protocol in 
which the anonymity of the mobile user is ensured. Its procedure is executed as 
follows. 



M 



B 



<= tb 1 1 Certe 1 1 RT <= 

Kmb = hash(rB || R-T || (Pb'^^ mod p)) 

T = g‘'“modp 

r = KHx(m) 

s = rM/(r-|-XM) mod q 

c = EkmeI™ II r II s} 



^ T II RT II c ^ 



Kmb = hash(rB || RT || (T^n ^lod p)) 
Dkmb{c} = m II r II s 
T ? = (Pm • gO" mod p 
KHx(m) ? = r 



Fig. 2. Flow diagram of 2-pass AKA protocol 



First pass from B to M 

— B broadcasts a random number re, real-time value RT, and its public key 
certificate Certe, where the identifier IDb and B’s public key Pb are in- 
cluded in the certificate CertB. 

Second pass from M to B 

— Entity M executes the following actions : 

1. Extract IDb and Pb from CertB 

2. Generate random number rM 

3. Compute common session key Kmb = hash(rB || RT || (Pb"'“ 
mod p)) and temporary key T = g“'“ mod p 

4. Compute r and s which serve as signature 

5. Encrypt r, s, and other data m including CertM by using Kmb 

6. Send Tand RT to B together with encrypted message 
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— Entity B executes the following actions : 

1 . B takes T and RT from received message and computes common session 
key Kmb = hash(T’^*^ mod p) 

2. Decrypt received message c using Kmb and extract M’s identifier and 
public key from CertM 

3. Compute (Pm • g'’)'* mod p and compare with received T. Protocol is 
aborted if received T is invalid 

4. Compute KHx(m) and compare with decrypted r 



3.2 Security Features 

Based on the security requirements in [15], the security features are as follows. 

— Entity authentication: Explicit authentication of M to B. Since M signcrypts 
on a random number re generated by B, B can explicitly authenticate M. 

— Key authentication: Explicit key authentication to B and implicit key aut- 
hentication to M. Since M actually creates the key K and then signcrypts 
using it, the verifier B can have the assurance that K is actually computed 
by the signer M. Since the key K can be only computed by a holder of the 
secret xb, the sender M can have an implicit key authentication. 

— Key agreement: Mutual agreement of session key between M and B. This is 
because the key is derived by the randomly chosen numbers rM and re by 
M and B, respectively. 

— Key confirmation: Explicit key confirmation to B and implicit key confirma- 
tion to M. The former property is based on the fact that M signcrypts based 
on the generated session key K. Whereas the latter is based on the fact that 
M is able to believe that the encrypted mes-sage can only be decrypted by 
a receiver who knows the secret key xb. 

— Key freshness: Mutual assurance of key freshness. Ensuring the freshness of 
the generated random number ensures the freshness of the session key. 

— Anonymity of mobile user: Since any information on M is encrypted in the 
protocol, anonymity is ensured. 

— Non-repudiation of user: This property is based on the usage of the signature 
in the signcryption scheme. 



4 Implementation of ASPeCT Protocol Using Proposed 
Signcryption 

The ASPeCT protocol [15] is basically designed to shift as much computational 
load as possible from the mobile user terminal to a base station, because it is 
assumed that the mobile user will be represented by a smart card which has a 
limited computational capability. With the use of the proposed signcryption, the 
ASPeCT protocol can be implemented as an efficient 3-pass AKA protocol. 
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4.1 Description of Protocol 

Fig. 3 describes the flow of the ASPeCT protocol when the proposed signcryption 
is employed, and its procedures can be illustrated as follows. 

First pass from M to B 

— When a mobile user wants to initiate a communication session, they send 
T = mod p to a base station. Upon receiving the first message from the 
mobile user, the base station generates a random number re and calculates 
the common session key Kmb = hash(rB || mod p)). 



M 



B 



^ T = mod p ^ 

Kmb = hash(rB || mod p)) 

tb II hash(KMB || tb ||IDb) ||TS ||CertB 

Kmb = hash(rB || (Pb'^'^ mod p)) 
m = T II Pb ||rB || IDb || TS 
r = KHMB(m) 
s = rM/(r + xm) mod q 

c = EKMe{r II s II CertM} 



Dkmb{c} 

T ? = (Pm • g'')^ mod p 
KHx(m) ? = r 



Fig. 3. Implementation of ASPeCT protocol using proposed signcryption scheme 



Second pass from B to M 

— In the second message, the base station sends its certificate Certe, random 
value rB, and timestamp TS and signifies knowledge of the common session 
key Kmb by sending a copy of it hashed with the random numbers rB and 

IDb. 

— Entity M executes the following actions : 

1 . Verify authenticity of base station’s public key Pb 

2. Calculate common session key Kmb = hash(rB || (Pb''“ mod p)) 
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3. Verify authenticity of common session key by comparing received 
hash(KMB II re II IDb) with own computed hash value. 

4. Generate signatures r and s 

5. Encrypt signature with own certificate using established common session 
key Kmb 

Third message from M to B 

— On receipt of the third message, B executes the following actions : 

1. Decrypt received message using common session key 

2. Compute (Pm • g'’)'* mod p and compare with received T. Protocol is 
aborted if received T is invalid 

3. Compute KHKMB(m) and compare with decrypted r 



4.2 Computational Load 

When designing the ASPeCT protocol, a key agreement scheme (similar to the 
ElGamal scheme [18]) with an implicit key authentication [19] of the base station 
was used because the entity authentication of the base station can be obtained 
without much extra computational load. The common session key for the AS- 
PeCT protocol is given by 

Kmb = hash(rB || (Pb*^“ mod p)) = hash(rB || ((g'^“)*^^ mod p)) (4) 

In the proposed signcryption scheme, both participants also establish the 
encryption and decryption keys using the ElGamal scheme. 

K = hash(PB'^* mod p) = hash((g‘'“)’‘® mod p) (5) 

Accordingly, the modified 3-pass AKA protocol reduces the computational 
load of the mobile user through the use of a common session key as the encryp- 
tion key for the modified signcryption scheme. Table 2 confirms that using the 
modified signcryption scheme can reduce the computational load of the ASPeCT 
protocol. 



Table 2. Comparison of number of exponentiations 



Entity 


Modified protocol 


ASPeCT protocol 


Mobile user 


2 


3 


Base station 


3 


3 
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5 3-Pass AKA Protocol with Forward Secrecy 

5.1 Forward Secrecy 

A protocol will satisfy forward secrecy if the session keys established by long- 
term secret keys in a protocol run are not compromised even if the long-term keys 
are disclosed. Recently, Park etc. [20] has treated this concept for application 
in mobile communications. Accordingly, they presented two modified ASPeCT 
protocols that provide forward secrecy. Generally, forward secrecy requires ad- 
ditional computations in a protocol run. Therefore, a protocol that can include 
forward secrecy with a small computational load is highly desirable. 

The ASPeCT protocol establishes a common session key 
K = hash(rB || niod p)) using a variant of the ElGamal scheme. As 

a result, the ASPeCT protocol avoids certain public key based computations 
and thereby succeeds in turning on-line exponentiation within the mobile user 
into off-line exponentiation because, in most cases, the mobile user can take the 
advantage of the pre-knowledge of the base station’s public key Pb. However, 
this variant of the ElGamal scheme does not assure forward secrecy as, if the 
long-term secret key of the base station is compromised and all the protocol 
transcripts for a particular session are recorded (for the knowledge of g'’“ and 
tb) by an attacker, the common session key for the session can be easily deci- 
phered by the attacker. However, the disclosure of the secret key of the mobile 
user alone does not lead to the disclosure of the common session key (so partial 
forward secrecy is satisfied), and in this case, the real problem is rather one of 
authentication than forward secrecy. Moreover, forward secrecy concerns a mo- 
bile user who cannot ensure that the secret key of the base station will not be 
compromised. 

5.2 Description of Protocol 

Fig. 4 illustrates the flow of the modified ASPeGT protocol, which satisfies for- 
ward secrecy. 

First pass from M to B 

— When M wants to initiate a communication session, the send T = g'’“ 
mod p to B 

— Upon receiving the first message B executes the following actions: 

1. Generate random number rB and calculate g'’® mod p 

2. Galculate common session key Kmb = hash(T'’'^ mod p) and authen- 
tication response value Auth = hash(T’^'^ mod p) 

Second pass from B to M 

— In the second message, B sends their certificate CertB, computed g'"'^ 
mod p, timestamp TS, and authentication response value Auth and sig- 
nifies knowledge of the common session key Kmb by sending a copy of it 
hashed with the random numbers rB and IDb. 
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M 



B 



^ T = mod p ^ 

Kmb = hash(T‘^® mod p) 
Auth = hash(T^® mod p) 

(g''® mod p) II hash(KMB || tb || IDs) || Auth || TS || Certs 

Auth = hash(Pe‘^“ mod p) 

Kmb = hash((g'’'5)''“ mod p)) 
m = T II Pb II rs || IDb || TS 
r = KHKMB(m) 

S = tm/ ( r + xm) mod q 

c = Ekmb{*’ II s II CertM} 



^Kjvib 

T ? = (Pm • g'')'* mod p 
KHx(m) ? = r 



Fig. 4. 3-pass AKA protocol with forward secrecy 



— Entity M executes the following actions: 

1. Verify authenticity of B by computing and comparing Auth 

2. Verify authenticity of B’s public key Pb 

3. Calculate common session key Kmb = hash((g'''^)'^“ mod p) 

4. Verify authenticity of common session key by comparing received 
hash(KMB II re II IDb) with own computed value. 

5. Generate signatures r and s 

6. Encrypt signature with own certificate using established common session 
key Kmb 

Third message from M to B 

— On receipt of the third message, B executes the following actions : 

1. Decrypt received message using common session key 

2. Compute (Pm • g'’)'* mod p and compare with received T. Protocol is 
aborted if received T is invalid 

3. Compute KHKMB(m) and compare with decrypted r 
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5.3 Computational Load 

In the proposed 3-pass AKA protocol, the mobile user and base station both esta- 
blish a common session key K = hash(g'’“ ‘'® mod p) using the Diffie-Hellman 
key exchange scheme based on a temporary secret key for the entities tm and 

re- 



Table 3. Comparison of number of exponentiations 



Entity 


Modified protocol 


ASPeCT protocol 


Mobile user 


[2] + 1 


[3] 


Base station 


[1] +4 


3 



[ ] : corresponding operation can be performed in off-line state 



Therefore, even if the secret key xm or xb is disclosed to an adversary, the 
established common session key will not be compromised. Table 3 evaluates the 
computational load of the proposed 3-pass AKA protocol. The modified protocol 
ensures perfect forward secrecy with only a slightly heavier computational load 
than the ASPeCT protocol. 



6 Conclusion 

A signcryption scheme was modified to provide signer anonymity that it is ap- 
plicable to mobile communications. The main idea is that both communicators 
initially establish an encryption key to protect the information data of the sen- 
der, thereafter the recipient generates a decryption key using the decrypted data 
and his own secret key. The modified signcryption scheme has the same compu- 
tational load as that of other signcryption methods. 

Employing the proposed scheme, an efficient and secure 2-pass AKA pro- 
tocol was presented for the air-interface of mobile communications, along with 
two 3-pass AKA protocols, related to the ASPeCT protocol. The first 3-pass 
AKA protocol reduced the computational load on the mobile user end by one 
modular exponentiation without any reduction of security, whereas the other 
provided forward secrecy with a slightly higher computation, where the number 
of exponentiations on mobile side remained unchanged. 
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Abstract. Auction systems allow many entities, each possessing a uni- 
que secret value, to interact in order to reveal the winning value from 
the set of secret values, based on the rules of interaction. A platform to 
achieve this goal is sealed bid auction. We propose a schema and a con- 
crete design to achieve this goal in a simple, efficient and secure fashion. 

The schema will facilitate the use of existing and future knowledge in 
providing anonymity. 

Keywords: Sealed bid auction, sealing process, anonymity. 

1 Introduction 

The fundamental goal of auction systems is the distribution of scarce resources 
among, potentially, many bidders based on well devised rules to determine the 
winning strategy [8]. A common approach to protect the interests of individual 
bidders, from conspiring bidders and auctioneers, is the sealed bid auction sy- 
stem. A seal is employed to provide secrecy for a bid, until a pre-defined event. 
In the physical world, the sealed bid may simply be a sealed envelope that enclo- 
ses a paper containing the value of the bid (along with optional non-repudiation 
information from the bidder) . The sealing process guarantees a fair auction pro- 
cedure for honest bidders. At the same time, there must be mechanisms to open 
the seal (after a specified event) to reveal the winning bidder, in order to avoid 
disavowal after participation. A requirement for some systems, but not necessa- 
rily for the sealing method, is to protect the secrecy of the losing bids, even after 
the completion of the auction procedure. This requirement is mainly to provide 
restricted privacy for the losing bidders. We stress the word restricted because 
once the identity of the bidders is known and the identity of the winning bidder 
and the corresponding bid value are published, automatically some information 
about the bid values of the losing bidders is revealed. The only approach to 
provide complete privacy for losing bidders would be to refrain from publishing 
the identity of all the bidders. 

In order to electronically implement the sealed bid auction procedure, the first 
step is to design a suitable sealing process. Towards this end the requirements 

* Research supported by the Australian Research Council grant A49804059 
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specific to the sealing process must be identified. Once such a sealing process is 
devised, this abstraction can be used along with other techniques to achieve a 
complete auction system. 

1.1 Literature Review 

We shall now review selected proposals from the literature. Confidentiality of 
the bid has been of paramount importance for the design of electronic auction 
systems. To achieve confidentiality of bid some proposals [5,7] used secret-sharing 
primitives to distribute the value of the bid among many trustees. When at least 
a threshold of the trustees are honest, they will not assist in opening the bid 
before the closing period. This approach generally results in inefficient systems, 
when public verifiability is required. This is because there exists no efficient 
protocol construct for publicly verifiable encryption [14] which is an essential 
building block for publicly verifiable secret sharing schemes. The other approach 
to publicly verifiable secret sharing is that of Schoenmakers [13], which is more 
efficient than the scheme by Stabler [14]. However, its application to the auction 
scheme will remain inefficient, as compared with our scheme. We shall provide 
an estimation for the number of exponentiations required for this approach in 
Section 4.3. 

Sakurai and Miyazaki [11] proposed an elegant auction system where the 
confidentiality of bid is controlled only by the bidder. For non-repudiation of the 
bid, Sakurai and Miyazaki used the undeniable signature scheme. Unfortunately, 
the computational and communicational complexity of their scheme [11] is de- 
pendent on the number of participants, thereby rendering their system inefficient 
for large scale auction systems. Moreover, their scheme requires every bidder to 
be on-line, which may not be a desirable property in large scale auctions over 
open networks. 

Sako [10] attempted to modify their proposal [11] using group encryption (for 
a group of trusted auctioneers) , instead of the undeniable signature scheme, for 
sealing the bid. We believe that in doing so, the proposal by Sako lost the main 
advantage of the proposal by Sakurai and Miyazaki, which was user-controlled 
confidentiality of the bid. 

Harkavy et al [6] proposed an auction scheme based on secure distributed 
computing primitives. Although they claim the system to be moderately efficient, 
the security arguments for their scheme remain unclear. 

The properties that have been identified for sealed bid auction systems are: 

Confidentiality of bid: Only the bidder must know the bidding strategy until 
the closing period. 

Non-repudiation of bid: The winning bidder must not be able to repudiate 
or change the bidding strategy. 

Publicly verifiable auction: Any monitor must be able to verify the validity 
of the auction procedure. 

Anonymity of bidder: The bidder-bid relationship must be known only to 
the bidder, unless the bid conforms with the winning strategy. 
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Independence of auction rules: The security protocols for auction rules 
must be independent of the auction rules. 



1.2 The Approach 

We shall present the approach taken by our paper to design an auction system. 
The system consists of two sub-systems, an anonymity sub-system that provides 
anonymity to all its users and an auction sub-system that allows the users to 
participate in the auction procedure. Thus the system, in effect, provides an 
anonymous auctions service. The auction sub-system can be explained in terms 
of the following physical world entities. The auction system consists of a “magic 
seal,” that will allow only the entity that sealed the bid, to open it. The bidders 
place their bid values inside an envelope and apply the “magic seal” to it. In order 
to register in a particular auction protocol, the bidders send the envelope to the 
auctioneer using (something like) the registered post service, which guarantees 
that the sealed bid will reach the auctioneer (who will not be able to repudiate 
the receipt). When the actual auction procedure starts the bidders assist the 
auctioneer to break the “magic seal.” The envelopes that are not opened are 
discarded and do not participate in the auction. 



Organisation and Notation. The paper is organised to present an abstraction 
of the electronic cash technology in the next section, an abstraction and design 
of a sealing process in Section 3 and the auction system, which employs the 
e-cash and sealing techniques, in Section 4. 

Entities will be represented using calligraphic symbols. The following symbols 
possess the following semantics: 

1. := is an assignment operation used only with a process, function or a protocol 

abstraction. 

? 

2. = is the checking operation. 

3. Gr represents the action of choosing at random. 

4. < X > proof transcript (a set of values conforming to a grammar), named 

A. 

2 Background 

Our proposal will make use of an anonymous token issuer (ATI), such as the 
electronic cash technology, to provide privacy service for the participants in the 
auction process. Towards this end, we will employ the fair electronic cash scheme 
proposed by Frankel et al [3]. Note that any anonymous token issuing facility 
that supports non-transferability and revocable anonymity can be employed. The 
remaining of this section will describe the abstractions of the ATI that will be 
used to explain the auction protocol. 

System Settings. The bank, B, chooses and publishes primes p and q such 
that p = 2q 1 and the generators g and gi of order q. The bank publishes its 
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public keys j/b = smd related system setting information, and retains the 
secrecy of the corresponding private key. The bank also publishes the public key 
of the trustee, T, (for tracing purposes) which would be of the form /t = g^'^ , 
where Xt is the corresponding private key. Every user registers with the bank 
to obtain an identity of the form I = , where g is the base and u\ is the user’s 

private key. 

Protocol Withdraw: The user identifies himself/herself to the bank (or the 
mint) and then engages in this protocol to obtain a restrictive blind signature on 
a pseudonym of the form A = (/gi)®, where gi is a base and s a secret, random 
value. The restrictive blind signature, restricts the structure of A to be of this 
form. The value of A is never revealed to the bank. We shall express this phase 
as, {A, Cert a) I '■= Withdraw {I, B,{s}i,{Xb}b), which should be read as, “/ 
engages in the withdraw protocol with B using a (random) value s (known only 
to I) to obtain a certificate CertA for A, which are known only to I, signed by 
the bank using its private key XbC 

Protocol Spend: The user derives two pseudonyms of the form Ai = 
and A2 = gf from A, such that A = A1A2. The user then proves to the mer- 
chant its knowledge of the pre-images of Ai and A2 with respect to the reference 
bases g and g\ respectively (thereby proving the knowledge of representation of 
A). Additionally, he/she proves that his/her identity, which is hidden in A\, 
has been encrypted for a trustee under the public key /t resulting in the ci- 
phertext D. The user never reveals his/her identity, I, to the merchant. We 
shall express this phase as, {Proof a) ■= Spend{A,CertA,A 4 ,yb,fT,{s,ui}A), 
which should be read as, “A engages in the spend protocol with Ai using the 
certificate, CertA, B’s public key yB and the private data (s,mi) to generate 
the transcripts for a proof system {Proof a), which contains an encryption of the 
identity of the user under the public key /b.” {Proof a) contains the following tu- 
ples, {Ai, A2, Encryption f^{I)) along with the corresponding proof transcripts. 
Here Encryption f^{I) is the encryption of the user identity I under the public 
key /t. 



Protocol Deposit: The merchant submits the proofs of knowledge, which it 
received in the Protocol Spend, to the hank and avails credit. The bank can check 
if it has already received the tuple (^1,^2) to detect double spent transcripts. 
We shall express this phase as, Deposit{Ai,B, A, CertA, {Proof a)), which should 
be read as, “Ai engages in the deposit protocol with B to submit the values 
{A, Cert a) and {Proof a)” 

Protocol Trace: The bank, or any other authorised entity, needs to trace 
the identity of the user who spent a particular transcript, it can contact the 
trustee. When the trustee is provided with the transcript {Proof a), it can re- 
trieve the ciphertext Encryption ^.,^{ 1 ) and decrypt it using its private key to 
obtain the identity. We are only interested in the “owner tracing” aspect and 
not in the “coin tracing” aspect of fair e-cash. We shall express this phase as. 
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{I, Proof rp) := Trace{X,T, {A, Cert a), {Proof a) , {Xt}t) , which should be read 
as, “X engages in the tracing protocol with T using the values {A, Cert a) and 
{Proof a), to obtain the identity I and an optional proof Proof j,, for proof of 
correct decryption of the ciphertext. The trustee uses its private key Xt for this 
purpose.” 

3 Abstracting the Sealed Bid 

In this section, we propose a mechanism for sealing the bid, which is central 
to the notion of the sealed bid auction procedure. We shall define the sealing 
process as follows: 

Definition 1 The sealing process is represented by: 

{Proofs) ■= Seal{b,r,I) 

where {Proofs) contains the sealed bid values along with the transcripts for proof 
of knowledge of the bid value, b, a randomiser, r , and the identity (or public key) 
of the sealer ( or bidder), I. Given {Proofs) the following must be true: 

Hiding: It must be intractable to determine the values of b orr. 

Binding: It must be intractable to determine distinct tuples {b,r) and {b',r') 
such that, 

{{Proofs) ■= Seal{b,r, I)) AND {{Proofs) '■= Seal{b' ,r' , I)) 

Non-repudiation: It must be intractable to determine {b,r,I) and {b',r',I') 
such that, 

{{Proofs) ■= Seal{b,r, I)) AND {{Proofs) ■= Seal{b' ,r' , I')) 
unless {b,r,I) = {b',r',I'). 

Clearly, the requirements for non-repudiation is a superset of the requirements 
for binding. 

There may be many approaches to realise the sealed bid. The most prominent 
of them would be: 

1. the signed commitment approach. Here the bidder can use a suitable com- 
mitment scheme [9,1] to commit to the bid and then sign the commitment 
value. 

2. the signed encryption approach. Since semantically secure encryption sche- 
mes [4] can be idealised to be a commitment scheme, an encryption scheme 
can be used instead. 



^ It is surprising that many proposals have not explicitly concentrated on this aspect, 
namely proof of correct revocation. 
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The first approach can be used when unconditional confidentiality is a requi- 
rement for the sealed bid. If revocation of confidentiality from the sealed bid 
(that is without the participation of the bidder) the latter approach along with 
suitable key escrow techniques can be employed. In that case, the bidder can be 
expected to encrypt the value of the bid under the public key of a trusted entity. 
We shall employ the first approach in this paper. 

3.1 A Concrete Proposal for the Sealed Bid 

Based on the definition of the sealed bid we design a three pass, Schnorr type [ 12 , 
1 ] protocol to accomplish the desired goals. 

System Settings A prime order subgroup G of Z* is chosen to be of order q 
such that, p = 2q + 1 for sufficiently large prime p, so as to render the discrete 
logarithm problem intractable. Two generators, g and gi, for the group are 
published such that nobody knows^ log^ gi . All operations are carried out in 
either Z* or Z* depending on the group being operated upon. The public key of 
the sealer (bidder) is certified to be yi = g^^ and p2 = 

Sealing Protocol An interactive protocol between the sealer and the receiver (of 
the seal) is as shown in Table 1 . The sealer wishes to commit to the bid value 



Table 1. The Sealing Protocol 



Sealer 

a, di, d2 Zq 



Si = di — CXl, S2 = d2 — CX2 

tl ,t2 

ti = Si — be, t2 = S2 — ac 



Receiver 



“ C €:R 






b G hq and identify himself/herself using the public keys yi and t/ 2- The sealer 
forms the commitment S to the bid value b and another commitment B for pur- 
pose of identification, and sends the two commitment values to the receiver. The 
receiver picks a random challenge c and returns challenge. The sealer then forms 
the response (si, S2) with respect to the public key (j/i, 2/2) and the commitment 
B. The sealer now uses (si,S2) to respond to the commitment S as ti and t2- 
The idea behind this concept is that, the tuple (S', B, c, si, S2) is unique (with 

^ When gi is the public key of a trusted entity or a Diffie-Hellman value of the public 
key of the trustee and the bidder, a similar approach can be used to design the signed 
encryption approach mentioned in the earlier section. 
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an overwhelming probability) in every protocol run and could not have occurred 
previously if the sealer or the verifier is honest. Therefore the responses ti and t 2 
are unique in every protocol run. And so, the tuple (S', S, c, , ^ 2 ) is also unique 
in every protocol run, with an overwhelming probability. 

We present the following theorems for our proposal. 

Theorem 1 The proposed protocol belongs to the class of honest verifier zero- 
knowledge protocols. 

Proof : Clearly the protocol belongs to the three pass, honest verifier class. The 
protocol transcripts can be easily simulated by calculating B = {Syiy 2 Yg*^ g{^ 
after choosing S, c, ti and ^ 2 - 



Theorem 2 If the values in the tuple (S, B, c, ti, ^ 2 ) cannot he altered, then the 
protocol possesses the properties required for binding to the value ofb. 

This theorem follows trivially from the theorem presented by Pedersen [9] (Theo- 
rem 3.1). 

Corollary 1 Given the tuple {S,B,c,t\,t 2 ), it will be infeasible to determine 
the value ofb. Thereby, the protocol hides the value ofb. 

Follows from Theorem 1. 

Theorem 3 When the sealer does not know the private keys corresponding to 
the public keys yi and 7 / 2 , and the discrete logarithm problem is hard, the sealer 
convinces the receiver with a probability of where jgl is the size of q in 

bits. 

Sketch: The sealer can cheat the receiver by guessing the challenge correctly 
in advance. Then by Theorem 1 the sealer can form correct transcripts. If 
|<?| = log 2 q, then the number of legal challenges will be of the form When 
the receiver chooses the challenges at random, as prescribed by the protocol, the 
probability that the sealer will correctly guess the challenge is l/2l'^l. □ 



3.2 The Non-interactive Version 

The interactive protocol suggested in Table 1 can be converted into a non- 
interactive version using the Fiat-Shamir heuristic [2]. For this purpose, we shall 
make use of a collision intractable hash function TL : {0, 1}* 1 — >■ Zg. The sealer 
performs the following process with the bid b, his/her private key (xi,X2) and 
the commitment value b as the inputs to obtain the output as (S,ti,t 2 ,c). 

Begin Process Sealer 

Input: {xi,X2,b,a,g,gi,p,q} 
di,d2 Gr Z* 
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Compute: 

S = 9^9i mod p, B = 9‘^^9f^ mod p 
c := 'H{yi,y2,S,B) 

Si = di — cxi mod q, S2 = d,2 — CX2 mod q 
t\ = s — be mod q, t2 = s — ac mod q 
Output: {S,ti,t2,c} 

End Process 

The outputs of the sealing process can be verified by employing the following 
process: 

Begin Process VerifySeal 

Inputs: {S,ti,t2,c,yi,y2,9,9i,p} 

If c = n{yi,y2,S, {Syiy2y9*^9l^ modp), then 
Result ^ Pass 
Else 

Result ^ Fail 
Endlf 

Output: Result 

End Process 

In this process the verifier checks the sealing transcripts against the public key 
of the sealer. 

To open the seal the sealer can release the tuples {b,a). The values can be 
checked against the seal as follows: 

Begin Process VerifyOpenedSeal 

Inputs: {a, &, S, ti,t2, c, yi,y2,9, 9hP, q} 

If S' = g^9i, then 

Si = + ac mod q, 52 = ^2 + be mod q 

Else 

Result ^ Fail 
GoTo Output 
Endlf 

If c = n{yi,y2,S, modp), then 

Result ^ Pass 
Else 

Result ^ Fail 
Endlf 

Output: Result 

End Process 

In this process the verifier checks the tuples ( 6 , a) against the commitment value 
S. If they are correctly verified the actual signature value (si,S2) is computed 
from t\ and t2- The value of (si,S2) is then checked for proper signature. Note 
that this is optional, because if the seal tuples pass the VerifySeal process and the 
tuple (&, a) are correctly verified against S', then (si, S2) will be a legal signature 
tuple on S. 
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4 The Auction System 

We shall now present a three phased auction system design using the electronic 
cash technology (see Section 2) and the process for sealing the bid proposed in 
Section 3.2. 

System Settings: The system consists of a set of bidders B, a mint, A4, for issuing 
electronic coins, a registrar, TZ, an Auctioneer, A, and a trustee T. 

A suitable prime-order subgroup, G of Z*, of order q, is chosen such that 
p = 2q + 1 is a, large prime and the discrete logarithm problem is intractable. 
Suitable generators, g and gi , are chosen such that logg gi is not known to 
any entity. The arithmetic operations are performed in the relevant groups. A 
suitable hash function TL : {0,1}* i— >■ Z* is chosen. Additional system setting 
requirements specific to the electronic cash technology are published along with 
tuple {p,q,g,gi,n). 

The public key of the following entities are published: 

1 . The public key of each bidder, I = , where Ui is the corresponding private 

key. 

2. The public key of TZ, yr = 5 '^’’, where Xr is the corresponding private key. 

3. The public key of A, ya = 3*", where Xa is the corresponding private key. 

4. The public keys of the mint, M, yM = g^^ and the trustee /t = g^'^ ■ 

4.1 The Three Phases 

The pictorial representation of our model for auction system is presented in 
Figure 1. We propose a three phased schema for the design of an auction system. 
The three phases are: 

1. Coin withdrawal phase, consists of the withdrawal sub-protocol; 

2. registration phase, consists of the spend. Sealer, the VerifySeal sub-pro- 
tocols; and, 

3. bid submission phase, consists of the Verify OpenedSeal sub-protocol. 

We shall now discuss in detail each of these protocol phases. 

Coin Withdrawal Phase: Bidder, Bi owning the public key / wishing to par- 
ticipate in individual auction activities, engages in the withdrawal protocol 
with the mint. At, to obtain (Aj, Cert a,): 

{Ai, CertAi)i := Withdrawal, M, |s}/, {Xm}m) 

We refer to Section 2 for the interpretation. 

Registration Phase: The bidder, Bi, performs the following tasks: 

1. presents the tuple {Ai, CertAi) to TZ-, 
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Electronic cash sub-protocol Basic Auction sub-protocol 



Fig. 1. System Dynamics of the Auction System 



2 . engages in the spending protocol to convince its ownership of the tuple 
without revealing its identity. The spending protocol will be of the form: 

(Proofs.) := Spend{Ai, CertAi,R,yb,fT,U,ui}Ai) 

If the spending phase was successful, then {Proof a ) will contain Ai^ = 
and A2^ = gf (see Section 2 ), such that Ai = Ai.A2^. 

3 . chooses its bid value, b £ Z*; 

4. seals the bid using the sealing process explained in Section 3 . 2 . Towards 
this end it chooses a £rZ* and computes the following: 

{S', si,S2,c} := Sealer{uis,s,b,a,g,gi,p, q) 

Here {S, Si,S2,c} are the outputs of the sealing process and {uis,b,a, 
p,q} are the inputs (see Section 3 . 2 ). If TZ verifies the sealing process 
correctly as: 

? 

Pass = VerifySeal{S,si,S2,c,Ai^,A2^,g,gi,p) 

where {S, si, S2, c, Ai.^A2^^g, h,p} are the inputs to the process and the 
output is either pass for successful verification or fail for unsuccessful 
verification. 

If TZ is satisfied with all the proofs in this section it signs the tuple as: 

<^Ri ■= Sign{xr, S, si, S2, c, Ai^, A2^, g, gi, {Proof a,)) 

Where Sign is a suitable signature algorithm that signs all the inputs 
(S', si, S2, c, g, gi, Ai-, A2^, {Proof A^)) 
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using the private key Xr- TZ then stores: 

{S, SI,S2, c,g,gi, Ai-,A2i, {Proof Ji.)) 

along with {Proof and in a publicly readable directory DB-jz, indexed 
by Ai.. 

TZ refrains from accepting registration after a specified time, end of bid 
registration time (EBRT). 

Bid Submission Phase This phase starts after the EBRT and finishes when 
the end of bid submission time (EBST) is reached, that is A accepts bids 
during the period between EBRT and EBST^. In this phase, Bi contacts 
the auctioneer, A and authenticates using its pseudonym Ai.. Bi opens the 
commitment by sending (b, a) to A. On receiving the tuple. A: 

1. obtains the registration transcripts from DB-jz using Ai. as the index 
into the database; 

2. verifies the signature on the transcript by TZ; 

3. obtains the seal values, ( 5 , 51 , 52 , 0 ), from the transcript; 

4. verifies the opened commitments as; 

Pass = VerifyOpenedSeal{a,b, 5, 5i, 52 , c, ^ 2 ^, <7, q) 

and aborts the submission process when the result is not Pass; 

5. signs the bid tuple (5, a) along with the the seal values (5, 5i, 52 , c) as: 

cr_ 4 , := Bign(xa, S, si, S 2 , c, Ai-, A 2 J 

where Sign is a suitable signature function, Xa the private key and 
(5, 5i, 52, c, Ai-, A 2 J that is being signed to result in the signature tuple 

6. returns the signature tuple to Bi as a receipt of the bids; 

7. stores the tuples (6, a) along with and {Ax^,A 2 f) in a publicly rea- 
dable directory DB^, indexed by b. 

Some bidders may refrain from opening their bids during this phase. If this 
is the case, the identity of such bidders can be traced using the anonymous 
token submitted, by the bidder, during the registration phase. Suitable action 
can then be taken against such bidders. Alternatively, a different method for 
the sealing process can be employed such that a quorum of trusted entities 
can recover the plaintext bid values without the participation of the bidder. 

Announcement of Results: When the auction is announced to be terminated, the 
highest bid, 5, is chosen from the database (which is publicly readable, thereby 
providing public verifiability) and Bi (the owner of the bid b) is announced as 
the winner. Bi identifies with A using the pseudonym, Ai^, which is available in 
DBji^ and avails the auctioned goods. Note that the anonymity of the winning 
bidder need not be revoked, but can be if necessary. 

® 77 is trusted not to register sealed bids after EBRT and A not to accepts opened bids 
after EBST. This assumption is valid because DB-n and DBa are publicly readable 
and can be suitably monitored for potential breach of trust. 
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Anomalies: There can be two cases of anomalies that could occur: 

1. the winning bidder does not claim the goods; or, 

2. the auctioned goods are denied to the winning bidder. 

In the first case the winning bidder does not claim the goods and thereby 
does not pay for the goods. In which case, A or any other entity can approach 
the trustee T and engage in the tracing protocol to compute the identity, I, of 
Bi, possessing the pseudonym, Ai.. This is computed using the tracing protocol 
described in Section 2 as: 

{I, Proofs) := Trace{X,T, {Ai, Cert Ai), {Proof j^J,{Xt}t) 

Note that all the information required for tracing are present in DBa and DBn- 
In the second case when the auction goods are denied to the winning bidder 
(due to software glitch or some other error), Bi can approach TZ with the receipt, 
aAi, that it received during the bid submission phase, identify itself using the 
pseudonym Ai. and avail the goods or other compensations. 

4.2 Analysis 

In this section we shall verify the accomplishments of the protocol against the 
requirements stated in Section 1.1. 

Confidentiality of bid: The confidentiality of the bid is provided by the hiding 
property of the sealing process, until the bid submission phase. Since, with an 
overwhelming probability, only the bidder can open the commitment values 
correctly, the scheme provides user-controlled confidentiality for the bid. 
Non-repudiation of bid: This property is provided by the non-transferability 
property of the electronic cash scheme and the non-repudiation property of 
the sealing process. We stress the non-transferability property of the e-cash 
system because if the bidder transfers the power to spend the coin to another 
entity it would have to reveal the values of mis and s to that entity, and u\ 
is a long term secret key of the bidder’s account with the mint. 

Publicly verifiable auction: Since all the proof transcripts in the system are 
publicly verifiable, the proposed auction system possess this property. 
Anonymity of bidder: Conditional anonymity is provided to all the bidders 
using the e-cash system as an anonymous token issuer. Note that the ano- 
nymity of the winning bidder is also preserved. 

Independence of auction rules: All the bid values, 6, will reside in DBa 
in dear-text. Any suitable auction rules can be employed to determine the 
winning bidder. 



4.3 Comparison Based on Efficiency 

In this section we shall compare the computational requirements of our scheme 
with the proposals using publicly verifiable secret sharing (PVSS) [13] schemes. 
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such as that of Franklin and Reiter [5], and the auction scheme proposed by 
Sakurai and Miyazaki [11]. The number of modular exponentiations by each 
entity for achieving confidentiality of bid were counted. The results are presented 
in Table 2. 

An estimate (based on the publicly verifiable secret sharing scheme proposed 
by Schoenmakers [13]) of the number of modular exponentiations by each entity 
for achieving confidentiality of bid in schemes employing PVSS, such as that of 
Franklin and Reiter [5], is presented. We shall assume a t out of n scheme with 
t = 2 and n = 2, which is the simplest mode. The estimates are presented in 
Table 2. 

The protocol proposed by Sakurai and Miyazaki [11] accomplishes anonymity 
of losing bidders and user controlled anonymity using undeniable signatures. The 
estimates assumes the following variables: L is number of bids, J G {0, • • • , L— 1} 
is the index of winning bid value, J is the index of the winning bid and B the 
number of winning bidders. The assumed values are: L = 10 and N = 100. The 
estimates are presented in Table 2. In the table, the best case condition occurs 
when J = 0 and the worst case condition occurs when J = 9. 



Table 2. Computational Comparison of Proposals 





Bidder 


Auctioneer 


Trustee 


Our Scheme" 


20 


5N/2N 


15A 


PVSS schemes" 


4n + 2t 


4nN 


4(n + t)N 


Sakurai et al.‘^ 


10 J + 3 (Losing Bidder) 
lOJ + 13 (Winning Bidder) 


6JN + 6B 





“ Anonymity for winning and losing bidders 
** No anonymity for winning and losing bidders 
Anonymity for losing bidders 



The following observations are made on Table 2: 

1. the bidders need to perform a constant number of exponentiations in our 

scheme; 

2. the number of exponentiations that the auctioneer needs to perform: 

a) is linear with the number of bidders, in our scheme; 

b) is directly proportional to the number of bidders and the number of 
trustees in PVSS schemes; and, 

c) is directly proportional to the product of the number of winning bidders 
and number of bids and, to the number of bidders, in [11]. 

Clearly, our scheme possesses a superior performance, in comparison with 
the approach based on the publicly verifiable secret sharing approach (without 
anonymity for losing bidders). In comparison with the scheme by Sakurai and 
Miyazaki, our scheme achieves the properties in a much more efficient manner 
with a constant number of exponentiations for the bidders. 
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4.4 Comparison Based on the Characteristics 

We shall now present the characteristics of our scheme, in comparison with 
the other schemes, to demonstrate its achievements. The characteristics of our 
scheme are: 

1. The number of exponentiations is a linear function of the number of bidders; 

2. It is possible to provide anonymity even to the winning bidder; 

3. Any type of auction rule can be employed, like highest price, lowest price or 
Vickery (second highest price). 

4. Provides user controlled anonymity; 

5. Any anonymity providing mechanism or sealing mechanism can be used, as 
long as they guarantee the required properties. 

6. Phases 2 and 3 permit stateless operations. That is every bidder need not 
have continuous connections with the auction centre. This is very useful 
for implementations over stateless protocols like the HTTP protocol in the 
WWW applications on the Internet. Suitable anonymous token issuing faci- 
lity can be employed to have a stateless Phase 1. 

The characteristics of the schemes [5] that use publicly verifiable secret sha- 
ring are: 

1. Users cannot control confidentiality of their bid during the bidding process; 

2. Generally inefficient; and, 

3. Independent of the auction rules. 

The characteristics of the scheme proposed by Sakurai and Miyazaki [11] are: 

1 . It provides user controlled confidentiality for the bid values and the bid value 
of the losing bidders is not revealed. 

2. It requires reliable real time networks and, therefore, may not be suitable 
for use over the Internet; 

3. It can only operate with either the highest price or the lowest price auction 
rules, in order to provide anonymity for losing bidders; 

4. Since, bidders must choose a value of the bid from a fixed set of bid values, 
it may not be suitable for all scenarios of auction; 

5. The auction system requires critically on the state of the proceedings; and, 

6. If the connection of any single bidder to the network is disconnected, due to 
some reason (accidentally or maliciously), the entire auction system will be 
stalled. Thereby, it is less robust. 

Clearly our scheme is more practical, efficient and robust than the other 
schemes. 

5 Conclusion 

We presented a modular, publicly verifiable auction scheme that provides user 
controlled anonymity. The simple design, for a rather complex system, is due to 
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modular approach in the analysis and design methodology. The use of existing 
technologies, such as electronic cash, is crucial for designing complex systems 
with diverse properties. 

The approach helped visualise the benefit of abstracting the sealing process, 
which can be further refined without adversely affecting the properties of the 
auction system. The sealing process can be improved to allow for the recovery of 
plain text bid values by a quorum of trusted parties, without the participation 
of the bidders. The concept of sealing is required in other application areas such 
as contract-signing, large scale voting, as well. This approach is ideally suited 
for voting protocols, as the identity of the participants can be guaranteed even 
after the third phase. Future research will be directed towards end. 
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Abstract. On-line auctioning is one of the fundamental services for the 
new Internet economy. Most current auction services are public auction 
where all bids are made available to any party. User privacy is a primary 
concern in electronic world because electronic environment facilitates the 
gathering of personal data. This paper proposes a public auction protocol 
that achieves bidder privacy using binding group signatures. A concrete 
solution for preventing defaults in auctions is also presented. 



1 Introduction 

On-line auction has appeared to be an integral part of the Internet economy. 
Many on-line auction servers such that Yahoo ! auction and eBay, com have been 
successfully in operation. The number of on-line auctions has been growing ex- 
ponentially. A check on 27 July 1999, saw over 2.4 million auctions running at 
eBay . com at the time. 

On-line auction can be roughly classified into private auction and public 
auction. In private auction, each bidder secretly submits a bid before a deadline. 
No bidder should learn anything about the competing bids. At a certain time 
after the deadline, a winning bid is chosen by the auctioneer (s). Typical examples 
of private auction include auctioning of government contracts, art works and real 
estate. In public auction, all bids are made published and bidders are allowed to 
outbid competing bids. At the end of the auction, the highest bid wins. Public 
auction is often used in general auction where the secrecy of the bidders and 
bids are not a major concern. 

In practice, most on-line auctions are public auction. This is the case in 
all auctions run at popular auction sites, e.g., eBay.com, Yahoo ! Auction and 
Amazon, com. Current auction services provide weak level of security and privacy 
and assume a strong trustworthy assumption on the bidders. Any user can enrol 
in the system at wills and can Bid any amount. If a winning bidder refuses to 



E. Dawson, A. Clark, and C. Boyd (Eds.): ACISP 2000, LNCS 1841, pp. 427-442, 2000. 
© Springer- Verlag Berlin Heidelberg 2000 




428 K.Q. Nguyen and J. Traore 



pay, the only possible action is to conduct a new auction. Also the identity of 
any bidder is apparent to everyone. 

Electronic environment facilitates the massive gathering of personal data 
and habits. Consequently, user privacy is a great concern in the on-line electronic 
marketplace. On-line auction is not an exception. In on-line auction, user privacy 
is represented in two forms: bidder privacy and bid secrecy. The difference is that 
bid secrecy means no party can know any bids other than the winning bid while 
bidder privacy allows the adversary to know all bids including losing bids but 
does not let the adversary find out the bid(s) of any bidder. In private auction, a 
bidder should not be able to learn any information about other competing bids, 
thus bid secrecy is critical. In public auction, the identities of bidders should be 
protected, thus bidder privacy is desirable. 

This paper concerns on-line auction systems that protect bidder privacy. 
We present a novel public auction protocol that achieve bidder privacy using a 
new tool: a binding group signature scheme. The protocol provides privacy for 
all losing bidders and fairness to all parties involved. Particularly, the bidding 
history of any bidder that includes the winning bidder is not known to anyone. 
An adoption of this protocol for private auctions is also shown. 

The remaining of this paper is organized as follows. Section 2 discusses the 
security requirements of on-line auction. Section 3 gives a brief summary of 
previous works existing in the literature. Section 4.1 presents the model of group 
signature and related tools that will be used as the underlying technique in 
our auction protocol. It includes a group signature sharing scheme. Section 5 
describes our new auction scheme. The scheme is a public auction protocol that 
protects bidder privacy. Finally, Section 6 extends the results to private auctions. 



2 Requirements 

This section discusses common security requirements for on-line auctions. These 
requirements apply to public and private auctions. Main security issues of an 
on-line auction service are: 

bid unforgeability: The bid(s) of a bidder can only be generated by the bidder 
herself. No party, even the ones who control the auction, can forge a bidder’s 
bid. 

result verifiability: The selection of the winning bid(s) is verifiable. The winning 
bid is dictated by the deterministic publicly known rule. No party can award 
the auction to another bid without being detected. 
bid secrecy: Only the winning bid is made public, losing bids should remain 
secret. 

bid unlinkability : It is infeasible to determine whether two bids are made by a 
same bidder. 

bidder anonymity: The identity of bidders are protected. No one should learn 
about the identity of losing bidders. 
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Here we do not consider the issues that occur after the auction where the sel- 
ler delivers the object(s) to the winning bidder for the correct payment. Such 
transactions can be done using standard fair exchange [2]. 

Bid secrecy, bid unlinkability and bidder anonymity come with two different 
flavors. One is to hold even after the auction is completed. The other is to hold 
until the selection procedure is taken place. The former is more desirable but 
the latter is acceptable in certain scenario. 

Bid unforgeability and result verifiability are applicable to both public and 
private auctions. Bid secrecy is applicable only to private auction while bid 
unlinkability and bidder anonymity are applicable to privacy-protected auctions. 

A private auction system should satisfy bid unforgeability, result verifiabi- 
lity, bid secrecy and bidder anonymity. Likewise a public auction system should 
satisfy bid unforgeability, result verifiability, bidder anonymity and bidder un- 
linkability. 

Bid unlinkability is only a genuine concern in a private auction when multiple 
auctions are conducted at the same time by a same auction service. We say that 
an auction service achieves bidder privacy if it achieves both bid unlinkability 
and bidder anonymity. 



3 Related Works 

On-line auction has received considerable interests in security research commu- 
nity, mainly in the area of private auction, particularly in recent time. 

Franklin and Reiter [12] proposed a private auction protocol using verifiable 
signature sharing and electronic cash. Their auction service is distributed over 
multiple non-related auctioneers. To submit a bid, the bidder generates a signa- 
ture on the bid and distributes the signature and electronic coins to auctioneers 
using verifiable signature sharing. The bid is distributed to auctioneers using ve- 
rifiable secret sharing. The secrecy of bids is achieved if no more than a certain 
number of auctioneers are faulty. In order to determine the winning bid, all bids 
are revealed during the selection process. 

Harkavy, Tygar and Kikuchi[13] observed that this feature might not be 
desirable. They proposed a solution for this problem. In their protocol, bids 
are not actually revealed but compared to find the highest bid. They leveraged 
verifiable secret sharing and secret distributed computation in order to preserve 
bid secrecy. In their system, the bidders encode their bids into secrets that 
are distributed among auctioneers. After the deadline, the auctioneers compare 
the bids and eliminate bidders without revealing their bids or their identity 
using distributed multi-party computation. The winning bidder is revealed at 
the end of the computation. However, the price the authors have to pay, is that 
the computation and communication costs of auctioneers are enormous and the 
system can only practically tolerate up to a very small number of auctioneers. 
Moreover, the bidding range is limited and must be fixed before the auction. 

Later, a different protocol using an oblivious third party was attempted by 
Cachin[3] on the same problem. The protocol is proposed for two-party case but 
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can be extended to a multi-party case. In this proposal, all bidders are required 
to involve in the selection process. The workload and communication complexity 
of each bidder grows linearly with the number of bidders. Also the identity of 
any bidder is known by all other (competing) bidders. 

Under our security classification, the scheme in [12] achieves bid unforgea- 
bility, result verifiability and bid secrecy prior to the selection procedure. The 
schemes in [3,13] achieve bid secrecy even after the selection procedure. All of 
them do not provide bidder privacy. Note that, [12,13] provide limited bidder 
privacy, i.e., while the identity of a bidder is not known to competing bidders, 
each auction server knows the identity of all bidders at some stage during the 
auction. 

All the above works have only considered the case of private auctions. They 
do not cover the case of public auctions. This is perhaps due to the perception 
that private auctions pose more challenging technical issues than public auc- 
tions. In our knowledge, there exists only few studies on public auctions in the 
literature[14,16]. However, those studies do not concern with the security aspect 
of public auctions in details but rather describe different methods of conducting 
public auctions. 

Adopting existing private auction schemes to public auctions seems impos- 
sible. This is so because the main feature of existing works in private auction is 
to provide bid secrecy that is not applicable in public auctions. 



4 Group Signatures 

This section reviews the concept of group signatures and its extensions. These 
concepts are the building block for our auction protocol. Here, we present a ve- 
rifiable group signature sharing scheme which is of independent interest and can 
be useful in many cryptographic protocols. In our knowledge, no such protocol 
exists in the literature. 

A group signature scheme allows a group member to sign a message on the 
group’s behalf such that everybody can verify the signature but no one can find 
out which group member has generated the signature. However, there is a trusted 
third party, called the revocation manager who can efficiently reveal the identity 
of the originator of a signature in the case of later disputes. 

Formally, the model of group signatures consists of a group manager M, a 
revocation manager R, a set of group members V = {Pi, ... , Pm}, a security 
parameter k and five following procedures. 

setup: A probabilistic protocol that on input of O(l^), outputs the group pu- 
blic key 3^, a revocation secret key to to the revocation manager R and a 
membership generation secret key x to the group manager M. 
registration: A probabilistic interactive protocol between a member and the 
group manager M that on input of O(l^), outputs a membership secret key 
Xi to the group member P^. 
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sign: A probabilistic protocol that on input of a message m, a membership secret 
key Xi and the group’s public key 3^, sign(m, 3^) returns a signature cr of 

m. 

verify: A deterministic algorithm that on input a message m, a signature cr and 
the group’s public key y, verify (m, s, 3^) outputs yes if and only if cr is a 
correct signature of m. 

open: An algorithm that takes as input a message m, the group public key y, a 
signature a and the revocation secret key w. If cr is a valid group signature 
of TO, open(s, TO, 3^, w) outputs the identity of a member Pi and a proof that 
the group member Pi indeed signed to. 

A group signature scheme is considered secure if it satisfies the following 
security requirements: 

membership unforgeability: It is infeasible to compute a membership secret key 
Xi that can generate valid group signatures, without the knowledge of the 
membership generation secret key x. 

signature unforgeability: Without a valid membership secret key Xi, it is infea- 
sible to generate a signature cr on a message to. 
anonymity: Given a signature, it is infeasible to find out which member has 
signed the message without the knowledge of the revocation key ui. 
unlinkability: Given two signatures, it is infeasible to determine whether two 
signatures are issued by the same group member. 
framing: Without the knowledge of the membership secret key Xi, no one can 
sign on the behalf of a group member P^, even in cooperation with the group 
manager and the revocation manager. 

revocation: Given a signature, the revocation manager who possesses the revo- 
cation key Lo can always determine the member who issued the signature. 

Historically, the concept of group signatures were introduced by Ghaum and 
van Heyst[9]. Since its invention, several concrete, improved and generalized 
group signature schemes were proposed[10,4]. However, all these schemes are 
inefficient and require the size of group public key and group signatures to grow 
linearly with the size of the group. Recently, Gamenisch and Stadler proposed 
two efficient group signature schemes in [6] that achieve constant size for the 
group public key and group signatures. Later, group signature schemes with 
improved performance and better flexibility were proposed in [5,7,18]. We note 
here that the revocation manager in all those schemes can be shared among a set 
of entities using verifiable secret sharing[17j. This feature is critical to provide 
efficient robustness in our auction protocol. 

4.1 A Group Signature Scheme 

For concreteness, this subsection reviews one of the group signature schemes 
presented in [6] ^ . Since the description of the scheme is rather complex, we will 
focus on the features that we will need for our construction of the auction system. 

^ In fact, we will use a modified version of this scheme in order to thwart the attack 
described in [18]. 
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The System Setup Protocol. To setup the group signature scheme, the group 
manager M computes the following information: 

— an RSA public key (n, e), where n is the product of two safe primes, 

— a cyclic group G = {g) of order n over the finite field Zp for a prime p, 

— an element a G Z* that is of the order <p{n) /4 and 

— an upper bound A on the length of the secret keys and a constant e > 1 . 

The revocation manager R computes the followings 

— a secret key lo Z*, 

— a random generator ft, of G, 

— VR = h‘^ and 

— a constant & yf 1. 

The group public key then is 3^ = (n, e, G, (/, a. A, e, ft, Yr). The group ma- 
nager private key (i.e, the membership generation secret key) is d, which is the 
corresponding secret key of the RSA public key (n, e) and the revocation mana- 
ger’s private key is to. 

The Registration Protocol. To register as a group member, chooses a 
random secret number x Gr {0 , . . . , 2^ — 1} and sends the value y = mod n 
to the group manager. In turn, the manager returns v = {y + ft)'’* mod n. The 
membership secret key then is (x, v) satisfying: 

+ b = mod n. 

Here x is the secret part of the membership secret key that is not seen by the 
group manager. 

The Sign & Verify Protocols. Given a message m, a group member who 
possesses a membership secret key {x,v,y = a^) can generate a group signature 
cr on TO as follows: 

— g = g^ and z = g^ for r €r Z*, 

— di = yRg^ and d 2 = ft“ for u Gr Z* , 

— Vi = SK{(7, S) : z = g~< Ad2 = Adi = i/r^'^Kto), 

— V2 = SK{(/3):5 = 5“"}(Vi),and 

— V3 = SK{(a) :5g^ = 5““}(V2). 

The verification is to check the correctness and consistency of the signatures 
of knowledge Vi,V2, and V3. 

Note: Here, SK{(xi, ...,Xk) : 2i = fi{xi, ...,Xk) A ... A zi = fi{xi, ...,Xk)}{rn) 
denotes a signature of knowledge on the message to of the secrets xi,...,Xk 
satisfying all I statements: Zi = fi{xi, ...,Xk), ■■■, and Zi = fi{xi, ...,Xk)- The 
main character of signatures of knowledge is that a signature of knowledge cannot 
be constructed without the knowledge of the secret (s). A detailed discussion 
about signatures of knowledge can be found in [4] . 
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The Open Protocol. To open a signature, the revocation manager computes 
z = di/d2 = ■ Then z is matched with all the values of stored in the 

database of registered group members. As y is seen by the group manager in 
the registration, g^ can be computed and stored. The signer is identified once a 
match is found. 

So far, this group signature scheme is considered secure. Though, no formal 
proof is known yet. 

4.2 A Verifiable Group Signature Sharing Scheme 

Apart from a group signature scheme we further need a new tool, namely a 
verifiable group signature sharing scheme. 

The concept of signature sharing was introduced in [11]. In this technique, 
the showing of a signature is first converted to the showing of some public in- 
formation and the showing of a particular homomorphic inverse. Intuitively this 
means that to reveal a signature one can simply show some public information 
and the inverse of some value under a homomorphic function. Then the homo- 
morphic inverse is shared amongst the designated entities using secret sharing. 
We now show a group signature sharing scheme based on the group signature 
scheme given in the previous section. 

Before going further, we give the detailed construction of the signature of 
knowledge SK[(a) : zg^ = g°" ] that is used in the group signature scheme. A 
SK[(a) : zg^ = g^ ]{V2) consists of the tuple (c, s) satisfying the equation 

c = n{V2\\go\...\\ge\\gl\\---\\gl-i), 

where r is a random number, s = r — ca mod n, go = g and = gf for 
(i = 0 , . . . , e— 1). The signature of knowledge can be verified by checking whether 
zg^ = ge and 

c = 'H(V2\\go\ ■ ■ ■ ||<7e||ffoffill • • • \\gLi 9 e), 

Let Vi = gl for t = 0 , . . . , e — 1. This signature of knowledge can be reduced 
to the showing of the public information (c, V2: ffO) ■ • ■ > 5e 7 2/0: • • • : J/e-i) and a 
secret information s. Here (c, V27 ffo? • ■ • 7 5e ■ ■ ■ , Ve-i) satisfies 

C = 'H(y2||5o| • • • Il5e|l2/05?ll • • • he-WD- 



Lemma 1. A set of {c,V 2 , go, ■ ■ ■ , ge,Vo, ■ ■ ■ tVe-i) that satisfies 

C = 'H(y2||5o| • • • Il5e||2/05?ll • • • Wye-We), 
can he constructed from public information. 

Such a set (c,V 2 , go, ■ ■ ■ , ge,Vo, ■ ■ ■ , Ve-i) can be created from public information 
by choosing wo, ■ ■ ■ , We-i at random, computing. 



c = n{V2\\go\ ■ ■ ■ llffellwoll . . . ||we-l) 
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and setting yi = Wij i for t = 0 ,...,e— 1. To determine whether (c, V2 , ffo , • ■ • 
,ge, yo, , Ve-i) presents a valid signature, one has to determine whether logg. 
(yi) = ^ogg. (yj) which is hard for i yf j S {0, . . . , e — 1}. 

Theorem 1. In this construction, the showing of a signature 

SK{{a)-.zt = r‘}, 

is equivalent to the showing of some public information (c, V2, go) • ■ • ,9e ,yo, 
...,ye-i) satisfying 



C = "^(^211501 • • • Il5e||2/05?ll • • • WVe-igt), 
and a secret s such that yi = gf for i = 0 , . . . ,e — 1. 

Proof (Sketch). It is trivial to see that a signature SK{(a) : zg^ = g°‘‘}{V2) 
can be converted into {c,V2, go, . ■ . ,g& ,yo, ■ ■ ■ , 2/e-i) and s. Also given a public 
information (c, V2, 50) ■ • ■ ,9e ,yo, ■ ■ ■ , ye-i), if there is a value s such that yi = gf 
for i = 0,...,e — 1 then (c, V2, go) ■ • ■ ,9e ,Vo, ■ ■ ■ ,ye-i) and s form a valid 
signature. 

Next, we show how to convert the showing of a group signature to the showing 
of some public information and the showing of a discrete logarithm. This is a 
critical step in our group signature sharing scheme. A group signature cr consists 
of 



- g = 9^ and z = gv for r €r Z^, 

- di = y^g"^ and d2 = h"^ for u Gr Z* , 

~ Tl = SK{(7, S) : z = Ad2 = h^ Adi= 

- F2 = SK{(/ 3):5 = 5“"}(fb),and 

- V3 = SK{{a):~z~gf>=~g‘^‘}{V2). 

We keep di,d2, Vi and V2 and divide V3 to P = (c, V2, 9o, ■ ■ ■ , 9e, yo, ■ ■ ■ , 2/e-i) 
and S = (s). Then to show a valid signature cr, one can show the public informa- 
tion {(di, c?2, V\,V2),V} and the discrete logarithm s. As S and V forms a valid 
V3, s and {(di, ^2, Ti, V2)j T*} forms a valid group signature. It remains to show 
that {(di, d2, Vi, V2), P} can be computed from public information. This is done 
as follows. First choose random numbers r Gr Z* and (3 G { 0 , . . . , 2 '*' — 1 }. Then 
compute y = a^, g = g^ , z = g^ . Next choose u Gr Z* and compute di = 
and d2 = Now form Vi = SK{(7, 6) : z = g'^ A d2 = h^ A di = yRg'^}{m) and 
V2 = SK{(/ 3 ) : S = g“''}(Vi). Finally compute P = (c, go, de, do, de-i) as 
in the converting algorithm for SK{(a) : zg^ = g°‘ KV2). It is clear that Vi and 
V2 are valid signatures of knowledge. Thus showing a valid signature a, is equi- 
valent to showing some public information and a discrete logarithm s satisfying 
di = dl for * = 0, . . . , e - 1. 

Now to share a group signature cr between several entities, the user who pos- 
sesses the signature, divides the signature into some public information {(di, d2. 
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V} and the discrete logarithm s. She then sends all the public infor- 
mation to all entities and distributes the shares of the discrete logarithm s to 
the respective designated entities using secret sharing. The group signature sha- 
ring is verifiable if verifiable secret sharing is used. As discrete-logarithm based 
(verifiable) secret sharing is a well-studied topic, we omit the constructions. 

5 A Public Auction Protocol Protecting Bidder Privacy 

This section presents a public auction system that protects bidder privacy. In a 
high level description, the auction system works as follows. We deploy a group 
signature scheme in that the group manager is the auction manager and auction 
participants (sellers and buyers) are group members. To enrol in the system, each 
participant contacts the group manager and obtains a membership secret key. 
Then for each auction, a bidder can bid a value by generating a signature on 
the bid using her membership secret key xi. At the deadline, the identity of the 
bidder, who posts the highest bid, is retrieved using the revocation procedure of 
the group signature scheme. Bidder privacy is protected due to the anonymity 
and unlinkability properties of the underlying group signature scheme. 

Formally, the auction system works as follows. Let M be the auction manager, 
A the auction server, Si, . . . , S™ the sellers, and Bi, . . . , B; the bidders in the 
auction service. The auction manager is the party who organize the auction and 
its main task is to set up the auction service. The auction server is the party 
who conduct auctions. Sellers are those who wish to run some items through 
the auction service. Bidders are those who wish to buy some items through the 
auction service. In practice, M and A are likely played by a same party. However 
we use different notations to distinguish their roles. 

Similar arguments apply for the notations of Sj and B^. We use S to denote 
a generic seller, P to denote a generic participant, i.e., a seller or a bidder. 
Further we assume the existence of two bulletin boards B and C. B \s publicly 
readable/ writable but only A can delete the content already posted in B. C is 
publicly readable by everyone but only A can modify the content of C. 

For the moment, we assume that A and respectively M are implemented as 
a single trusted entity. Later we will discuss how to share the functionalities of 
A and M over a quorum of non-related auctioneers and managers. 

The auction service consists of the five following procedures: 

setup: To setup the service, M announces the service and its scope. Further, M 
identifies the identity of A. M and A then run setup procedure of a group 
signature scheme which generates the service public key y, a service secret 
key X known to only M and a group revocation secret key u known only to 

A. 

registration: To participate into the system, each party P has to register with M. 
If M accepts P into the service, M issues P with a certificate cert stating the 
conditions of P membership. This might include whether M allows P to be a 
seller/buyer and/or in which capacity. Also M runs registration procedure 
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of the group signature scheme with P by that P obtains a membership secret 
key xp that is the membership secret key of the group signature scheme. 
auction preparation: To auction an item, S contacts M using her/his membership 
certificate with the description of the item. If the description is within the 
conditions of S’s membership certificate, M signs the description, creates a 
thread on B for S and posts the item’s description with its signature on the 
item on the thread. Also S informs A of the auction. 
hid submission: If a bidder wishes to bid for an item, checks the item’s 
thread, verifies that the auction is genuine, i.e., authorized by M. Then B^ 
posts his/her bid on the item on the thread by running the sign procedure 
of the group signature using his/her membership secret key. 
hid selection: After the deadline, A chooses the highest (or the most suitable) 
bid and runs the verify procedure. If the output is yes, A accepts the 
bid as the winning bid. Otherwise, A repeats the process for the remaining 
bids. Once a winning bid is determined, A runs the open procedure with the 
concerning signature (i.e., the winning bid) and identifies the winning bidder 
Bj . In this phase, it is also essential for A to verify that the winning bidder 
remains valid by checking the black list £. If the answer is no, A repeats the 
process with the remaining bids. 

winner announcement: After the winning bid is chosen and verified, A posts 
the identity of the winning bidder on the thread along with the identities 
of bidders for all failed higher bids. A should include some proofs that the 
failed bids are made by those bidders. Then result verifiability is achieved 
by checking whether failed bidders are in the black list £. 



5.1 Security 

We show that the proposed auction system achieves bid unforgeability, result 
verifiability, bid unlinkability and bidder anonymity. As each bid is a group sig- 
nature, bid unforgeability, bid unlinkability and bidder anonymity come from the 
security properties of the underlying group signature scheme. Result verifiability 
is due to the deterministic rule of the selection process and that the identities of 
bidders, who submitted higher bids, are published. Thus one can verify the cor- 
rectness of the auction by checking whether the winning bid is chosen according 
to the rule and whether all the identities of bidders, who make better bids, are 
in the black list C. 



5.2 Other Issues 

The black list C. £ is the list of participants that have their memberships re- 
voked. A membership is usually revoked when the participant is detected to 
commit a fraud. At start up, £ is empty. M puts a participant P on the blacklist 
£ if P has refused to pay or to deliver in some previous auctions. Frauds are not 
actively detected but found when other participants complain and the evidences 
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are justified. Here we assume that complains on the transactions between win- 
ning bidders and sellers can be verified. In later sections, we discuss this issue 
further. 

Clearly, the size of £ will grow with time. It is essential to limit the size of 
£. It is done by expiring the public key y after a certain period, thus requiring 
each participant to renew their secret membership key and updating public in- 
formation. Alternative method is to incorporate partial blind signature [1] into 
group signature model. The advantage then is that public information can be 
left unchanged for a longer period. 

Distributing the role of A and M. The main role of M is to enrol sellers and 
bidders into the system. M is not actively involved in any auction. In fact, the 
security and privacy of any auction do not rely on M. Furthermore M is the 
owner of the service, there is not much incentive for M to cheat. Thus using a 
single party to play the role of M is reasonable. Of course, M can be distributed 
among several entities. Then the registration procedure uses distributed multi- 
party computation which involves intensive computation. However, it is still 
acceptable since the procedure is one-off in regard to the sellers and bidders. In 
this case, M should only be distributed over a small number of entities. Note 
that schemes in [3,13] require some form of multi-party computation in every 
auction. 

The main role of A is to identify the winning bidder in each auction, which is 
the role of the revocation manager in the group signature scheme. Subsequently, 
A can be distributed among several entities using verifiable secret sharing. The 
computation cost for each entity is scalable and reasonable. It is only linearly 
dependent on the number of entities, not on number of bids. 

Here we emphasise that bidder privacy is still protected against any number 
of faulty servers or managers under the threshold. This is not achieved in the 
protocols in [12,13,3]. 

User Privacy. Users are all parties that participate in the system either as sellers 
or bidders. Only a small subset of users take part in each auction. To register 
in the system, each user runs the registration procedure to obtain a certificate 
from M. In this procedure, it is logical that M has to know the user’s identity 
so that M can determine whether to issue a certificate to the user. In return 
for the certificate, M should receive some evidence that legally binds the user to 
the system policy. Otherwise, it is not legally possible to hold a dishonest user 
accountable. In reality, the evidence is the user’s agreement on the system policy. 
Such an agreement is often represented as a signature of the user on the system 
policy. In some circumstances, a dishonest M might compromise user privacy by 
passing the agreements to other entities, e.g., for advertising purposes. Thus, it 
is desirable to have a mechanism that legally bind the user to the system policy 
while preventing M to give these information to others. Here, we present the 
intuition of such a solution. 

Before going further, let us repeat the construction of group signature sche- 
mes. When a member is enrolled in the group, the group manager (i.e., M in our 
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case) issues a membership secret key to the member. This membership secret 
key is a membership certificate that can be issued only by the group manager. 
In order to prevent framing attacks, the group manager does not see the whole 
certificate. The certificate contains some information that is only known to the 
member. This information is used in group signature generations. 

Assuming that each user P has a legal binding secret/public key pair (sk,pk = 
f{sk)) where /() is some hard-to-inverse function, we design the solution as fol- 
lows. In the registration, P does not have to sign any agreement but P is required 
to use sk as a part of the certificate that is not seen by M in the membership 
secret key. Of course, P has to prove to M this fact in (non-transferable) zero- 
knowledge. 

It is difficult for M to prove to others that P is a user because M would not be 
able to demonstrate that the secret key sk of P is used in the membership secret 
key. However when P misuses the membership secret key, M can prove that in the 
court once M detects the key misuse. The reason is that in this case, M detects 
the misuse only when M gathers a signature signed with the membership secret 
key of P. A signature can be signed only with the full knowledge of a membership 
secret key. Thus when P signs a message, P has to use sk. This value is not known 
to M. Then in the court, M can prove that P is the misbehaving user by asking 
P to prove whether sk is a part of the membership secret key used to generate 
the signature. If P can prove the contrary then M is the cheating party. Note 
that only P can carry out the proof because P knows sk. 

It remains to show a protocol that allows an user to prove that her secret key 
is included in her membership secret key of the group. We proceed by giving such 
a protocol for the group signature scheme given in the Section 4.1. We assume 
that each user has a legally-binded pair of secret /public key which can be for 
example a key pair {x,w = mod P), where G is a generator of a subgroup 
of prime order Q over the prime finite field P. The values of G, Q and P are 
chosen by some certificate authority that is completely independent of the group 
signature system. 

Now each user can prove to the group manager that the secret information 
generated x by the user and kept secret from the group manager, is the same 
as secret key X of the user’s legally binded key pair (A, W = G^) using the 
following binding protocol. 

Let I denote the size of the challenge chosen by the group manager. The 
value of I must not be too large. Typically I is chosen as ^ = 40. We further 
assume that the value A satisfying < Q. First the group manager sends 

to the user a large number N that is a product of two safe prime numbers and 
the user has no prior knowledge of its factoring. The number N should satisfy 
\N\ > {2\P\ + 1) and \N\ > (2|n| -I- 1). If necessary, the group manager can prove 
the correctness of N using the protocols given in [15]. The group manager also 
sends a number A which is a quadratic residue modulo N that has a large order 
in to the user. The binding protocol is as given in Figure 1. 
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User U The group manager M 

{N, P, n, a, G, A, y, W, x) {N,P,n, a,G,A,y,W) 

r €r [0, - 1] 

Y<-A^ mod N 
Sa al" mod n 
So ^ mod P 
SA t— A'' mod N 

^ 

c 6ij {0, . . . , 2' - 1} 



w r — cx over Z 



w e [-(2' - 1)(2^ - l),2'=(^+'^“^] 

7 

SaV'^ = aP mod n 
sgW^ = G” mod P 
saY'^ = A” mod N 



Fig. 1. The binding protocol 



For a discussion of the security of this scheme, we refer the reader to [8,18] 
(where the security of a similar protocol is analyzed). We also refer to [18] for a 
method to prevent abuse made with compromised group signature keys. 

If the group manager accuses the user of cheating, e.g., to default her winning 
bid, the user who possesses a legally-binded public key Y = G^, can prove her 
honesty by showing Y, y = and that the same x is used in Y and y. Then 
the user is innocent ii y ^ y. 

5.3 Default Prevention 

So far, we have only considered security issues occurred prior the winning bid 
is chosen. In this section, we consider the issues occurred after the winning bid 
is selected. The main security concern after the winning bid is awarded, is the 
case where the winning bidder defaults on her bid. So far we propose that in this 
case, the system manager can put the bidder on the black list £ once the default 
is detected. Nonetheless, in such cases, the seller has to organize a new auction 
altogether. Ideally, there should be some way that can enforce the bidder to pay 
once the bidder is awarded the auction. 

We now present a solution using on-line anonymous cash. It is a modification 
of the solution presented in [12]. The solution works for both private and public 
auctions. The idea is that when submitting a bid, each bidder also submits 
commitments of coins that value not less than the bided amount. As coins are 
anonymous, bid secrecy and bidder privacy are maintained. 

The commitment scheme is constructed so that each commitment uniquely 
identifies a coin but the coin cannot be constructed from the commitment. Then 
when a winning bid is chosen, the seller contacts the bank who issued the coins. 
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to verify the availability of the coins. As each commitment uniquely identifies a 
coin, the bank can check the availability of the coins. If the coins are not spent, 
the seller awards auction to the bidder. In this case, the coins are reserved, no 
longer available. Default prevention is then achieved as the seller can always 
claim the coins, i.e., receives the payment by either from the user in normal case 
or from the bank. In the latter case, the seller sends the goods to the bank who 
forwards them to the user. 

In order to prevent the seller to illegally reserve the coins without actually 
sending the goods, the user can clear the coins by asking the financial institution 
to act as the user’s agent in the transaction with the seller. Then the financial 
institution requests the seller to send the goods. If the goods are not received 
within a reasonable time frame, the financial institution clears the coins and 
cancels the transaction. It remains to show the construction of the commitment 
of the coins. 

In anonymous cash schemes, coins are represented as signatures. For the sake 
of simplicity, we assume that the signature scheme in use, is Schnorr signature 
scheme. Other signature schemes work basically in the same manner. 

In the Schnorr signature scheme, a public key is generated by choosing two 
prime numbers of suitable length p and q such that q\{p — 1). A signature on 
the message m is then the tuple {c, r} that can be verified by checking that 
c = 'H(g’'y°||m). 

The showing of the Schnorr signature {c, r} on the message m is equivalent 
to showing {c, u = (/’’} and the promise of the homomorphic inverse r = logg{u), 
where {c, m} satisfies c = h{uy'^\\m). Note that without knowing the private 
key, one can compute a valid pair of (c, u) by choosing z € Zq at random and 
calculating c = H^y^Wm) and u = y^~‘^. However, it is not possible to know the 
inverse of u in these cases. 

Then to commit a coin which is the signature (c, r), the user sends (c, u) 
and generates a Schnorr signature ct on a message that uniquely identifies the 
auction, using the public/secret key {u = g^,r). The signature a demonstrates 
the knowledge of r thus the commitment demonstrates knowledge of the coin. As 
c is included in both commitment of the coin and the coin itself, the commitment 
uniquely identifies the coin. However as computing r from a is hard, it is not 
possible to compute the coin from its commitment. 

6 Providing Bidder Privacy in Private Anction Schemes 

Existing private auction schemes do not explicitly provide bidder privacy. In this 
section, we use group signatures to provide bidder privacy for the schemes in [12, 
13]. Providing bidder privacy for the scheme in [3] is difficult if possible. This is 
so because bidders have to exchange information with the others in winning bid 
selection procedure; thus naturally they should know the identity of competing 
bidders. 

Group signatures can provide bidder privacy for private auction schemes in 
[12,13]. The modification is that instead of signing with normal signature, each 
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bidder generates a group signature on her bid. Then, each bidder must register 
to the system beforehand as in our auction scheme. A group signature on a bid 
is distributed using verifiable group signature sharing described earlier. The bid 
selection remains the same, i.e., using distributed multi-party computation [13] 
or opening all bids[12j. Once the winning bid is determined, the auctioneers 
together open the bid and identify the bidder. 

Due to unlinkability feature of group signatures, the modified private auction 
schemes also provide bidder privacy in multi-round private auctions where after 
each round, the highest bid is announced and bidders are allowed to bid higher 
bids in another round. The winning bid is chosen after the final round. 
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Abstract. A t out of I threshold scheme is such that shares are dis- 
tributed to I participants so that any set of t participants can compute 
the secret, whereas any set of less than t participants gain no informa- 
tion about the secret. In [9], Desmedt and Frankel described a threshold 
scheme which can be used with any finite abelian group. Hence it can be 
used to provide a threshold RSA scheme. In their scheme, a share size 
is 0{l) ■ “size of secret”. Each shareholder performs 0(t®/^(log2 0^) 
mentary operations and 0{lt\og2l) group operations. Here, we describe 
an algorithm which will reduce the amount of elementary operations, so 
that each shareholder performs 0 {t^llog 2 l) elementary operations and 
0 {tlog 2 l) group operations. 

Keywords: Threshold secret sharing. Threshold RSA, cyclotomic poly- 
nomials. 



1 Introduction 

A t out of I threshold scheme is such that shares, formed from a secret k and 
random elements, are distributed to I participants so that any set of t partici- 
pants can compute k, and where any subset of t — 1 or less participants gain 
no information about k. If represent the shares distributed to the I 

participants 

- Prob{k\si^,. . ,,s^J = 1 

- Prob(klsi^, . . . = Prob(k). 

RSA is an important cryptographic scheme. The development of threshold 
RSA was problematic due to the fact that the modulus 4>{N), ^ ^ as well any 
multiple, cannot be leaked to any of the shareholders. Threshold RSA has been 
examined in [11,7,8], then in [14,9,6], and most recently in [16,13,12,19]. Of 
particular interest to us is the scheme by Desmedt, Frankel et. al. [9,6]. Here the 
authors developed a threshold scheme that can be used with any finite abelian 

* This work was partially funded by NSF grant CCR-9508528 
^ Here N = pq, the product of two distinct primes, and = (p — 1) • (g — 1). 

^ The true modulus is the Carmichael function A(A), which is a divisor of 
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group /C (in the RSA scheme /C is They adapted the Shamir secret 

sharing scheme [18], by defining an extension ring Z[m], where Z[w] = Z[x]/m(a;), 
m{x) is the cyclotomic polynomial &nd where g is a prime greater than /+1, 
and established that is a module over Z[m]. 

There are two concerns with this application. In order to circumvent revealing 
the exponent^ ejc they have used the group which is a module over Z[uj. 

Thus shares are to be drawn from the group yet the secret actually belongs 
to the group K.. (By Bertrand’s postulate [15], there exists a q satisfying I < 
q — 1 < 21.) So when I is large, the length of the shares can be a burden on 
the shareholder ( a burden in the sense of time and resources). In [10], it was 
established the size of shares could be halved. Here we address how to reduce 
the amount of time needed to perform computations. 



2 Background on Desmedt Prankel Scheme 

Let us discuss the threshold scheme described in [9] . /C represents a finite abelian 
group. The secret will be denoted by A: G /C. A prime q is chosen such that 
q > I + 1. (We can assume, that 0{q) = 0{l).) Let u represent a root of the 
cyclotomic polynomial 

9-1 

m{x) = xZ 
j=o 

Much of the work is performed in the abelian group Z[m] = Z[x]/m(a;). An 
important observation is that for each i {1 < i < q — 1) ai = is a 

j=0 

unit (an invertible element in Z['u]) and that — aj is a unit for all i,j, with 
1 < < g- 1, * J- 

Consider the group IC^~^ where IC^~^ = /Cx/Cx---x/C. IfaiG then 

X = [xo, Xi,. . . , Xq- 2 \- For all £Ci, ai 2 G 

Xi + X 2 = [xi,0 + X2,0,a:i,l + a;2.1, • . -,Xi^q-2 + X2,q-2]- 

0 = [0,0,..., 0], where 0 denotes the identity in JC. For all b G Z, bk = 
[bko, bki , . . . , bkq- 2 ], where bki represents the element in 1C, formed by applying 
ki to itself b times. For u G Z[u], uk = [0, ko,ki, . . . , kq- 3 ] + [—kq- 2 , ■ ■ ■ , —kq- 2 ] = 
[—kq- 2 , —kq -2 + k(), . . . , ~kq -2 + kq- 3 ]. Then = u(u*+^fc). For all polyno- 

mials f in u with integer coefficients, f{u) = bo + b\u -I- • • • -I- bmU^, f{u)k is 

m 

defined by f(u)k = ^^bi{u^k). Then IC^~^ is a module over Z[u] (see [1]). 

i=0 

® The exponent of a finite abelian group G is the smallest natural number n such that 
= 1 for all g G G. The Carmichael functiou X{N) is the exponent of /C = Z,^(jv). 
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2.1 How Shares Are Computed 

Given secret k, represent fe by [fc, 0, . . . , 0] € Each shareholder Pi {i = 

1, . . . , is given share Si in the following manner: Shares Si, S 2 , . • . , St— i are 
chosen uniformly randomly from . For i = t, . . . ,1, Si is defined by: 



Si 






(k-J2 V3,Ci 




where Cj = {1, 2, . . . , t — 1, t} and for j G Ci 



VjPi 



n (0 - 

hGCi 



n (“j “ 

heCi 



( 1 ) 



(2) 



Desmedt and Frankel later observed an alternate way to define the shares. 
Randomly select Ci, C 2 , . . . , Ct_i G then the shares are defined by 



Si' 




1 ai ■ 


^*-11 
’ * GL •] 




fc 


S2 





1 02 • 


■ ■ 0.2 




Cl 






la/- 


i-1 

•• «/ J 




_Ct-l 



Therefore for each i, Si — k + ai ■ C\ + ■ ■ ■ + a\ ^Q_i. Hence Si 
g{x) = fc + a; • Cl H h 



(3) 



g{ai) where 



2.2 How the Secret k Is Computed 

When a set B oi t participants wish to compute k & 1C, they can determine fc, 
of which the first component of fc, is the secret k. The participants determine fc 
by 

fe = X! • Si (4) 

ieB 

where yi^B is defined by (2). We will use the Fg to denote the function which 
maps any q — I tuple to its first coordinate. Thus k = Fo(fc). 



2.3 How Much Time Is Needed to Perform the Necessary Algebraic 
Operations 

One of our concerns is the amount of time each shareholder uses to perform 
algebraic operations, and another is the amount of time the distributor needs to 
perform algebraic operations. As described by equations (1) and (4), a required 
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computation is yi^B- (Where in the case of DISTRIBUTOR, they need to cal- 
culate such a yi^B ~ ^)” times.) There are two approaches to perform the 
needed calculation. 

The first approach is to compute yi^B ■ •Si, by 




The running time to compute yi^B ■ Si in this manner, as stated by [9] is: 

Theorem 1. [9] SHAREHOLDER: performs OftP) group operations, and 0{l) 
inverses. In addition to the time to choose randomly t—1 shares. DISTRIBUTOR 
performs OfPP{l — f}) group operations and 0{tl{l — f}) inverse operations. 

A different method is suggested if group operation is slower than integer 
multiplication. Instead of performing a series of group operations, a series of 
Z[m] operations are performed, until yi^B is formed, then one group operation is 
performed. [9] established the following: 

Theorem 2. [9] Each SHAREHOLDER performs 0{lt log 1) group operations, 
0{l) inverses, and OfPPilogVf') elementary integer operations. In addition to 
the time needed to choose t—1 random shares, the DISTRIBUTOR performs 
OfPl{l — f)\ogl) group operations, 0{tl{l — t)) inverse operations, and 0{PP{1 — 
t){logl)^) elementary integer operations. 

The goal of this paper is to devise a scheme which improves the time con- 
straints placed on the shareholder and distributor when one uses this second 
method of computation as described by Theorem 2. In this case, the SHA- 
REHOLDER performs 0{PP{log2l)^) integer operations. In light of the fact 
that 0{l) = 0{q), we can express this as 0 {Pq‘^{log 2 q)'^) and 0 {qtlog 2 q) respec- 
tively. The DISTRIBUTOR performs 0{Pq^{q — t)(log 2 qY) integer operations, 
and 0{qP{q — t) log q) group operations. 

3 An Algorithm which Multiplies a f by an (Xj. 

We will express the running time ^ in the number of elementary (“bit”) opera- 
tions. ^From [3], given polynomials f,g G Z[u], the amount of time to multiply 
f ■ g is 0(<7^1og2 C/log 2 Cg), where log 2 Cf and log 2 Cg represents the size (in 
bits) of the largest coefficient of / and g, respectively. This is, of course, uses 
a method which does not take advantage of the type of polynomial / and/or g 
may be. (For example if one of them is a cyclotomic polynomial ax then we can 
apply the following Algorithm 31). 

In order to make fair comparisons, we do want to express running time using the 
same metric, “number of elementary operations”. 
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Let f{u) G Z[m], then /(u) = oq + aiu + • • • + so we can repre- 

sent / by (tto, tti, . . . , aq_i). (Observe that it is possible to represent f{u) as a 
polynomial of degree at most q — 2, because -I- • • • H — u H — 1, 

since u‘^~^ + u'^~^ -|-•••-l-^t-l-l = 0in Z[u]. However, in this paper we will not 
use this representation.) The following algorithm is used to multiply ax ■ f{u). 
Here deg{f) will denote the degree of the polynomial f{u). (In all algorithms, 
all subscripts are performed modulo q.) 

Algorithm 31 To multiply ax ■ f{u) = bo + biu + h 

(0) Determine the deg{f) 

(1) initialize bi = 0 Vz 

(2) Temp = 0 

( 3) for i = 0 to X — I 

(4) bi = Oi + T emp 

(5) T emp = bi 

(6) for i = X to deg{f) -I- a; — 1 

(7) ifi<q-l 

(8) TEMP = TEMP + - a,-x 

(9) else 

(10) TEMP = TEMP -a,_x 

(11) b, = b, + TEMP 

(12) output {bo, ... ,bq-i) 



Theorem 3. On input of ax and polynomial f{u), Algorithm 31 will correctly 
output the coefficients of the product ax ■ f{u). The running time of Algorithm 
1 is: 0{q + \ogC f{deg{f) -I- cc — 1)) where logC/ represents the number of bits 
needed to represent the largest coefficient of f{u). 

Observe that 0{q + log 2 Cf{deg{f) -I- a; — 1)) < 0(<7log2 C/). Note that if we 
multiply ax' ay, then the largest coefficient of Oy is 1, and the resulting product 
has a largest coefficient of max{x, y} which is < q. If we multiply ax with {ay-az), 
then the largest coefficient of {ay • Oz) is < g, and the resulting product has a 
largest coefficient < q^. This argument continues in this manner. Thus an upper 
bound on the coefficients produced by multiplying r many Oj would be < q^~^ 
would and gives us the following result: 

Corollary 1. The time to multiply ax- ay is 0{q). The time to multiply ax with 
ay (where \B\ = r) is 0{rqlogq). 

v&B 



4 Some Properties of the Cyclotomic Polynomials cXj. 

- I 

For each x, l<x<q — 1, ax = l + u+ -- - , and ax is a unit. 

zt — 1 

As noted earlier -I- • • • -I- u -I- 1 = a, = 0 in Z[u]. Observe that 
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H 1-^+ 1) — H 1-^+ 1) + 1, so = 1. Thus u~^ = 

And so we see that for all x, is a unit. Since exists for all integers x, 
we can as well, extend the definition of ax to all integers x. For all nonzero x, 
ctx = ii^r- Define oq = 0- Observe then that ax+q = “ = ii^r- Hence 

ax+q = O.X for all x. Therefore Oi = aj if and only if i = j (mod q). Some 
other properties we will employ: ax~ay = u^ax-y and Uq-x = —u~^ax- (Other 
properties are displayed in a Lemma 1 in the Appendix.) 

For each x G Z*, observe that x~^ (mod q) exists. To avoid confusion of 
a~^ with Ux-i we will denote x~^ (mod q) by r^,. Since = u, it follows 
that for all y such that y = 1 (mod q) we have = u. Hence = u. 



4.1 How to Compute the Inverse of the Cyclotomic Polynomial a.^ 

From [3], given ax G Z[m], with a; yf 0 (mod q), the amount of time to compute 
a~^ is O(q^). This is, of course, using a method which does not take advantage 
of the type of polynomial ax is. 

— 1 

To compute a~^ where ax = — , we note the following: 



u-1 

a„ = = — = u 

— 1 — 1 



nXxX _ 1 

— n,irx-l)x I (rx-2)x 






The following is the algorithm to determine ^ : 



Algorithm 41 To determine ^ = bo + biu + ••• + for x yf 0 

(mod q): 



(1) Initialize 6^ = 0 Vi 

(2) determine rx (this is x~^ (mod q) j 

( 3) for i = 0 to rx — I 

U) hx = 1 

(5) output {bo, ... ,bq-i) 



Here bix refers to the coefficient of the term m*®, where ix is reduced modulo q. 

Theorem 4. On input x yf 0 (mod q), Algorithm 41 will output af^ in time 
0{qlogq). 

5 Some Results Concerning the Ratio of Two Cyclotomic 
Polynomials 

Q/ 

For all x,y gTj* consider — . By observing that y = y-Xx-x = {y- Xx) ■ x = k-x, 
^ ax 

where k = y ■ Xx. We see that 

ay _ akx _ - 1 

ax ax - I 



(fc-i). 



{k-2)x ^ 
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Definition 1. Let a € Z*. Let denote the permutation o/{l, 2, . . . , g— 1} such 
that 7Ta(x) = ax (mod q). We extend the definition of n a to the polynomial 
f{u) = bo + biu H bq-iu^~^ by: 

9-1 

7Ta{f)=J2b,U^^(^\ 

i=0 

Observe that T^a{f) = /(u“)- 

It follows then that Xa{ax) = l + t6“ + M^“ + - — For example, since 

Q/ 

03 = 1 + u + u'^ then 7T4(a3) = 1 + + u®. And so we see that 7Ta{ax) = — 

Some results concerning Tr^ are displayed in Lemma 2 in the appendix. We will 
use the following properties: (1) irfif) = /; (2) Xabif) = T^aiT^bif)); and (3) 
T^aifg) = 7ro(/)7To(5), where f,g G Z[u] and a,bG Z*. 

5.1 Generalizing Algorithm 31 

Algorithm 31 can be generalized to the case of multiplying 7r2,(Q;a) to f{u) (here 

^<1X 

T^xicta) = •) Again f(u) = oq + aiu H — • + . (For brevity, we state 

. . 

the algorithm in an informal manner) 

Algorithm 51 To multiply + • • • + + 1) to f{u) = bo + 

b\u + h bq-\U'^~^. 

The product — ^ • f{u) is the same as Tr^icta) ■ f{u), which is equal to TTx{aa- 

x'r^ifiu))). Thus we could multiply Oa to T^r^{f{u)) using Algorithm 31 Then 
apply TTx to the output. 

Theorem 5. Algorithm 51 will correctly output the product + + 

• • • + + 1 with f{u) with running time of 0{q log q + q log C f) 



6 To Compute yi^s 



Let B represent a set of shareholders of cardinality t. To recover the secret, it is 
essential that each shareholder i G B must calculate yi^s- 



\{aj \[aj 



Vi,B = 



jGB 



n 

jes 



jGB 

i€8 j€B 



t*i = u~^\B\-i)i TT 

J€B 



(We have applied, in the third fraction from the left. Lemma 1 statement 
(vi), which is the result that aj — ai = u^aj-i.) 

Observe that P 

jl=B 

{j - i : j G B, j yf i} and a = j- Vj^i (mod q). 



— ^ can be interpreted as a product P — ^ where x G 

Ctj — i Ckx 




450 B. King 



6.1 Time to Compute Ui^s 

The time to determine is 0{q). For each j, . The amo- 

CXj — i CXj — i 

unt of time to determine this a is (log q)'^, which will be absorbed in to the time 
to compute yi^s as a sequence of multiplications using Algorithm 51. the time is 
equal to 

qlog q + 2qlog q -\ \- (t - l)qlogq = 0{t^qlogq). 

Therefore the total running time to compute yi^B is 0{t^qlog2 q) which is equi- 
valent to log 2 1). 

Theorem 6. The amount of time for a SHAREHOLDER to eompute yi^B is 
0{t^qlog2 q) elementary operations. The amount of time for the DISTRIBUTOR 
to compute all required yi^B is 0{Uq{q — t) log 2 q) elementary operations. 

Remark Observe that the SHAREHOLDER’S computations of yi^B is ^ 
of the time given in Theorem 2. The DISTRIBUTOR’S computations of yi^B 
is g of the time given in Theorem 2. In practice, the amount of time 

to compute yi^B should be much smaller than 0{Uqlog2q). One reason is the 
upper bound on the size of the coefficients. When multiplying r many , 

we used r log 2 g as an upper bound. (This was the comment that established 
Corollary 1). In practice this bound is much larger than the actual coefficient. 
A second reason is that when one considers I I — — many cancellations may 

aj-i 

occur. Some of them are outright cancellations, others reducing to polynomials 
whose coefficients (in size) is much smaller. (This is where some of the results of 
Lemma 1 could play an important role in creating reductions.) 

7 Computations within the Group 

Let us assume that we are implementing this scheme to perform threshold RSA 
signatures. Then 1C = Suppose that m represents the message. We define 

G = {{m^° , . . . ,171^'^-'^) : Xi G K}, then G is a multiplicative group. If 

we define x = [xq,Xi, . . . ,Xq- 2 \ then we could interpret elements of G as m^. 
Recall the definition of Z[m], define a scalar operation on G by: for 6 G Z, then 
b ■ mA = where bx represents the scalar operation defined on . Define 
u-m^ = where ux has been defined earlier. Analogously for all f{u) G Z[u], 
define f{u) ■ then G is a Z[m] module. So we have 

= [yii,B,---,ytt,B] \ 
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In addition we can reinterpret equation (3) by: 
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These last two equations point out that although this threshold scheme has 
described shares in computations of the secret is actually done in G. 

Therefore it may be misleading for us to count the number of group operations 
in /C (or in For a single group operation is a multiplication in Z]v- We 

use (log2 to represent the amount of time to perform multiplication in Z^v 
(although better implementations exist). 

The emphasis here is on the computations a shareholder will have to perform 
within the group. Recall /C is Z^j-^v), and in threshold RSA no participant can be 
given any information concerning 4>{N). Shares are actually q — 1 dimensional 
vectors formed from ^From a shareholder’s view this will look like a 

q — 1 dimensional integer vector. Thus computations can be performed within 
the group using integer addition. The secret is d, where the RSA public key is 
(e,N) and ed = 1 (mod Therefore k = [d, 0, ...,0] = If 

a set of t participants would like to sign a message m, then they will not send 
their subshares of d (i.e. they will NOT send yi^B ■ •Sj)) but rather they will send 
partial signatures. They could send If all t participants sent 

then a combiner would get by 

= Fo(to[^’°’-’°1) = Fo{Y[ 

i^B 

However we must point out that this method wastes resources. That is, the com- 
biner is actually computing - 1, 1 , ... , 1], where the only element 

of interest is mf'. Consider the following: First, recall that Fq is a function which 
maps a j-tuple to its first coordinate. Second, suppose that R is a nonempty set, 
and that for all j € B, Zj € Xj = ^j,i’ • ■ • > ^1,9-2]- 

(5) 

JGB jeB 

So we see by equation (5), to compute m‘^, all that is needed is Fo{yi^B ■ ^i)- 
In [II], Desmedt and Frankel used the same ring Z[u], and described the 
following alternative for shareholders to construct partial signatures. 

Suppose = Ci^o + Ci^iu+ ■ — h . Before we can compute yi^B^i, 

we must use the equation u‘^~^ = — ^ convert yt^B to 

a polynomial of degree q — 2. We represent reduced to degree q — 2, hy 

Oi,o + a*.iw H 1- Thus Oij = Cij - 

The first coordinate of yi^B • can be determined without computing all <7 — 1 
coordinates. Using our notation the first coordinate will be 

ai,0Si,0 + (ai,2~ai,l)Si,5-2 + (ai,3~flj,2)Si,(3-3 + ’ ‘ • + (ai,g-2~aj,(3-3)Si,2H di,q-2Si^l 

( 6 ) 
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Since Cij is bounded between 0 and q* we find that Uij is bounded between 
—q*~^ and q*~^. 

Algorithm 71 [11] To compute the partial signature for participant Pi 

Let B he a set oft participants, such that i € B. 

( 1 ) Compute yi^B- 

( 2 ) Compute equation ( 6 ). Denote this integer by tempi- 

( 3 ) Compute (mod N), this is the partial signature of Pi. 

If Pi was to determine their partial signature in a manner in which it omitted 
computing tempi as an integer, and computed immediately after com- 

puting yi B then the amount of time would be 0{tl\og2l) group computations. 
Since the group computations would be in Z^v using multiplication, the actual 
cost would be on the order 0{tl\og2 /(log2 N)"^). 

Consider the amount of time to compute the partial signature in the manner 
described by Algorithm 71. To compute tempp. consider the computation of 

diflSifi + ai,2Si,9-2 + ’ ’ ’ + ai^q,_2Si,2- 

As we had described earlier, —q^~^ < Oij < q*~^ for all j. Therefore to com- 
pute OijSi^g-j will take 0(log2<7* • log2 <('(A)) = 0 {tlog 2 q ■ log2^i(fV)). Thus 
to compute all q of them would be 0{tqlog2 q ■ log2 (which we will ex- 
press as 0 {tl log2 I ■ log2 since 0 {l) = 0 {q). Reminder this cost is given in 

elementary operations. Equation (6) can be performed in three steps: Compute 
ck,oSifi+ai^2Si^q-2p‘ • •+ai,(j-2Si,2, compute ai,iSi_g_2+ai,2Si,g-3-l-- • •+ai^q,_2Sip 
then take the difference. Thus step (2) of Algorithm 71 can be completed in 
0 {tl log2 I ■ log2 4 >{N)). Now note that + 0'i,2Si,q-2 + • — f Oi, 5-2^1, 2 is bo- 
unded above by qq*~^-(j>{N) = q*(p{N). To compute will take on the order 

of maximum 0((tlog2 I + log2 (j){N){log2 A)^). Thus the total time to compute 
the partial signature is 0(tlog2 I + log2 (j>{N)) {log2 A)^-|- 0 {tl log2 I ■ log2 
+ 0 {t‘^llog 2 /). Simplifying this we see the cost of generating a signature is: 

0 {tllog 2 l{t + log(j){N)) + [tlog2l-klog2</)(A)](log2 A)^). (7) 



Remark Observe that if tl\og2l < (log2A)^ then equation (7) reduces to 
0([t log2 Z-l-log2 ^(A)](log2 A)^). Now consider two cases: 1) log2 </>(A) > tlog2 I 
and 2) log2 <('(A) < tlog2b In the case when log2 <('(A) > tlog2?, this implies 
that time to compute a threshold RSA partial signature is equivalent to the time 
to compute a RSA signature. In the case when log2 </>(A) < tlog2 I we see a re- 
duction in the amount of time to perform group operations by j . (This reduction 
is for the SHAREHOLDER.) 

Because the DISTRIBUTOR needs to form the entire mP, we cannot ap- 
ply Algorithm 71. However the DISTRIBUTOR is performing group operations 
in the additive group The DISTRIBUTOR has to: perform OfCl{l — 

t) log2 1 ) elementary operations, generate t random vectors of length I, and 
0 {lt^{l — t)log2? additions in These additions have a cost of 0 {lt^{l — 
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t) log 2 nog 2 This latter cost refers to the creation of {I — t) vectors of length 

1. Therefore the DISTRIBUTOR requires O {I — t){log 2 I +log 2 Hog 2 4>{N))) = 
0{lt‘^{l — t) log 2 I log 2 Realize that this cost is a one time cost (for the du- 

ration of the key d), whereas the SHAREHOLDERS will apply their algorithm 
every time they need to sign a message. 

Lastly the COMBINER is required to multiply t elements in Z^r. This has a 
cost of 0 (t(log 2 A^)^). 

8 Shoup’s Threshold RSA Signature Scheme 

Our interest in Shoup’s RSA threshold signature scheme [19] is that it allows 
us to make a comparison between two non interactive RSA threshold signature 
schemes. The share size in Shoup’s scheme is on the order of the size of the secret. 
Which is a tremendous improvement over Desmedt-Frankel’s scheme. Our sole 
interest is share size and time required to perform computations. So we will omit 
comparison between the two schemes outside this realm. 

N = pq where p and q are primes such that p = 2p' + 1 and q = 2q' + 1 where 
p' and q' are prime. Let n = p'q' ■ The dealer chooses an RSA exponent e. The 
dealer chooses oi, 02 , . . . , at-i at random from {0, . . . , n — 1}. The dealer defines 
the polynomial f{x) = d + a\x = a 2 X^ -I- • • • -I- at-ix*~^. For each i € {1, ■ . ■ , 
the dealer sends participant the share 

= /(*) (mod n). 

Let A = l\. For any each subset S' of t points from set {0, 1, ■ • ■ , 1} and for 
any z G {0, 1> • ■ • > \ S and j G S define 

Then for all z G {1, . . . , ?} 

^/(*) = 

jes 

Next a hash function is needed to map messages to elements of If x = 
H(m) for message m, then a signature for m is a, y such that = x (modulo 
rz). 



Signature shares. Each participant has received Si, they then form Xi = 
which belongs to the subgroup consisting of all squares in Z^. 

Each member of a set S which consist of t participants will: first compute 
xf. = . (These steps are separated because a proof of correctness is sent 

using this x?. , which is omitted from our discussion.) Secondly, the participant 
2 ) ~ 

sends x, 

^3 



to the combiner. 
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The combiner computes w by: 



2AS 



2A 



s 

0,it 



It follows then that w® = x® where e' = 4Z\^. Since gcd{e',e) = 1, by using the 
extended Euclidean Algorithm one can find a and b such that ae' + be = 1. The 
signature is y = w°'x^. The signature can be verified by t/® = x 



8.1 The Running Time of Shoup’s Threshold Scheme 

Our interest is to make a comparison between the running time of Shoup’s scheme 
and our method of computation for the scheme [9] . We point out the computation 
of Xi^ can be described as follows: Xi^ = {message)^^^\ The size of 2 Asi is on 
the order of 0 { 2 U(j){N)) . Hence this will take 0(/log2 ^ + log2 </>(-/V)) group opera- 
tions. Thus the computation is on the order of 0((Zlog2 /-l-log2 </)(lV))(log2 
2A®,. 

The computation of x^, ' ^ adds to this, a cost of the same size. Thus we see the 
computation cost of Shoup’s scheme is 0 {{llog 2 l + log2 </>(iV))(log2 A^)^). Ob- 
serve that we have established that the cost of group operations within [9] using 
our Algorithm 71 is 0(tlog2 ^(log2 + log2 4 >{N){log 2 Hence whenever 
tlog2 I > log2 "'^6 see the threshold scheme in [9] requires less computations 
than Shoup’s scheme. And in the case t log2 I < log2 we see that the com- 

putational cost for computing partial signatures in both schemes is equivalent to 
computing a RSA signature. (This argument is assuming /t log2 I < (log2 N^.) 

In Shoup’s scheme The DISTRIBUTOR is required to compute f{i), which 
requires a time of 0(t(log2 The COMBINER is required to multiply 

t elements in and to compute and x^. This is a cost of {t + log 2 a -I- 
log2 5)(log2iV)^). 





Shoup’s scheme 


Desmedt-Frankel scheme 


Size of share 


1 


1 


SHAREHOLDER 

(time) 


(nOg2^ -hl0g2(/)(IV))(l0g2 N)'^ 


tl log2 l{t + log (j){N) ) + 
log2 1 + log2 0(IV)](log2 iV)2). 


DISTRIBUTOR 

(time) 


f(log2 <ii(A^))2 


- t)l 0 g 2 ll 0 g 2 (l){N) 


COMBINER 

(time) 


{t + log2 a + log2 6)(log2 IV) ^ 


f(log2 N)'^ 



Within this table, we have omitted the computation cost required by the DISTRIBUTOR 
for producing random elements. All times are given using order notation. 



9 Summary and Open Problems 



In this paper we have described algorithms which effectively speed up computations in the 
threshold RSA scheme developed by [9]. Our algorithms have addressed how to speed up 
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computations within Z[m] and group operations. We point out that the computations within 
Z[m] are significantly less when using the algorithms that we have discussed. We also point 
out that our estimate of running time is affected by our bound on yi^B- An upper bound on 
the coefficients in yi^B is affected by the indices of the Ct’s used to compute yi^B- For example, 
if set B is such that all j G B are near i then coefficients in yi^B will be smaller. Also, within 
Lemma 1 there exists an equation Oiq—x = —U^Ctx, this implies that one may assume that 
all indices of a’s are < Further, it should be noted that in [10], they have shown that 

share size can be halved. (Both of these ideas would reduce computational time, but in terms 
of order notation the time would not change.) 

We point out that to use the threshold scheme of Desmedt-Frankel, one is generating 
larger shares. However, we have seen computational time may be smaller than threshold RSA 
with share size proportional to the secret. Note that in terms of resources, communication 
between the SHAREHOLDERS and the combiner will be proportional to the secret. That is, 
the SHAREHOLDER will have to compute with this larger share, but the partial signatures 
they generate will not be of this size. The only time when communication will involve the use 
of these larger shares is during the process of dealing out the shares. 

Possible future work. Is it possible to reduce the number of computations the DISTRIBU- 
TOR makes? Is ii possible to create better bounds on the size of the coefficients of 5 ? Also, 
possible work could be done on reducing the length of the share. The reason the share is of 
length (7 > ( + 1, is that one needs I units (i.e. cXi). However, these units need to be special 
in the sense that their difference is also a unit. (The reason is that the security of this scheme 
is based on the Vandermonde matrix.) If one ean find a smaller q for which I units exist with 
this property, we would see an immediate improvement in both share size and computational 
cost. (This is referred to as the Lenstra constant.) 
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10 Appendix 

Lemma 1. (i) u* = 1. (U) a\ = 1. (Hi) ao = 0- (iv) oix+q = ctx- (v) uotx + 1 = 
Ux+i. (vi) ax - ay = u^Ux-y. (vii) ax + w^aq-x = 0. (iix) aq-x = -u~^ax. 
(ix) a—x — aq—x. 



Lemma 2. let c € Z and f,g € Z[u], a,b € Z* then we have the following (i) 
= f{u); (a) TTa{cf{u)) = CTTa{f{u)); (Hi) ■Ka{f{u)+g{u)) = ■Ka{f{u)) + 
T^a{g{u)); (iv) TTa{f{u) ■ g{u)) = TT^ (/(u) ) • 7Ta (^(m) ) / (v) TTab{f{u)) = TTa (tTf, (f (m))) 

= T^b{T^a{f{u)); (vi) — = TTx(ak); (vii) ; and (iix) — 

ctx g{u) TTaigiu)) Tra(Ctx) 

== T^aictx ) 
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Abstract. Threshold cryptosystems use algebraic properties such as ho- 
momorphisms in order to allow several parties to jointly evaluate a cryp- 
tographic primitive. Several cryptographic primitives, however, avoid -by 
definition- the use of algebraic properties, or otherwise their security is 
compromised; this is the case, for instance, of block ciphers, pseudo- 
random functions, and pseudo-random permutations. Is it then impossi- 
ble to construct a threshold cryptosystem in order to share the compu- 
tation of a block cipher ? 

In this paper we get around this apparent impossibility by sharing the 
computation of the composition of block ciphers. Although less efficient 
than a single cipher, a composition of block ciphers is still significantly 
more efficient than a public-key encryption. We show that the problem 
of sharing the composition of block ciphers is tightly related to a va- 
riant of secret sharing, which we call sequence sharing. We define and 
investigate sequence sharing schemes by presenting matching upper and 
lower bounds for several access structures of special interest. These sche- 
mes imply constructions of block cipher sharing schemes for the same 
access structures, each having optimal (under this approach) number of 
compositions. 



1 Introduction 

The power of sharing computation in a cryptosystem is crucial in several real-life 
applications of Cryptography. Threshold cryptosystems have played an impor- 
tant role in the study of secure distributed computation. Cryptographic primiti- 
ves and tasks to which threshold cryptosystems have been applied include several 
variants of digital signature, identification, public-key encryption and authenti- 
cation schemes. It is of great interest to extend the domain of cryptographic 
tasks to which threshold cryptography can be applied. In this paper we consi- 
der new primitives, such as block ciphers, which are typically used for tasks as 
private-key encryption and private-key authentication. We overcome their ap- 
parent elusiveness to threshold cryptography by proposing and investigating a 

* Copyright © 2000, Telcordia Technologies, Inc. All Rights Reserved. 
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methodology for their secure usage in distributed computation. The methodo- 
logy automatically extends to pseudo-random permutations, and pseudo-random 
functions, which are used for several other tasks in Cryptography as well. 

The homomorphism-based paradigm. Since their introduction [7,6], thres- 
hold cryptography schemes have relied their constructions on the following basic 
paradigm. A function, of different nature according to the specific cryptogra- 
phic task, has to be computed by several parties. The function enjoys desirable 
algebraic properties, topically homomorphisms, which allow to divide it into se- 
parately computable pieces. Each party can then compute a single piece and 
then all computations can be combined to result in a final computation of the 
original function. The validity of the combination relies in a crucial way on the 
algebraic properties of the function. 

Apparently non-algebraic primitives. Despite the success of this paradigm, 
there are still cryptographic primitives to which threshold cryptography has not 
been applied yet. This is the case, for instance, of block ciphers, as well as pseudo- 
random permutations and pseudo-random functions. In fact, it is not clear a 
priori that it is possible to apply threshold cryptography to such primitives. 
One reason being that a homomorphic function or permutation can easily seen 
to be insecure as a block cipher or a pseudo-random function. Indeed, a rule of 
thumb in the design of block ciphers is that of avoiding algebraic relations of 
any sort between inputs and outputs. 

Results on block ciphers: a new methodology. We present a formal defi- 
nition of block cipher sharing schemes, where security against unqualified sets 
of participants is stated in the sense of impossibility of predicting the output of 
the shared cipher. More precisely, we consider two formalizations of security. The 
first one, called indistinguishability, follows the approach envisioned by Shannon, 
of requiring block ciphers to be indistinguishable from ideal (namely, random) 
ciphers. The second one is new and particularly suits our study case of threshold 
cryptography; we call it unpredictability since, informally, it requires the output 
of a block ciphers (using an unknown key) to be hard to predict on any input. We 
relate the two formalizations, and express the security of block cipher sharing 
schemes according to the second. We then propose the following methodology for 
applying threshold cryptography to block ciphers: rather than sharing a block 
cipher, we would like to share the composition of a block cipher. Namely, first 
we iterate the block cipher a sufficiently large number of times, and then we ask 
each participant to compute only some of the iterations. Specifically, we share 
among n participants a function of the form Fk{x) = fk,ni- ■ • fk^ifkAx))), where 
k = {k\, . . . , km), kn G poly(n) and / is itself a secure cipher. Then we can se- 
curely share by sharing the sequence {k\, . . . , km) among the n participants. 
The security of the composed cipher F will be at least as strong as the atomic 
cipher /. Multiple repetitions of atomic ciphers are certainly less efficient than 
computing a single cipher; however, we note that private key ciphers are often 
times orders of magnitude faster than their public key counterparts. In essence, 
even a large number of repeated applications of a block cipher would be faster 
than computing an RSA function. 
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Results on secret sharing: a new variant. The suggested methodology gi- 
ves rise to a new problem, of independent interest, which can be considered as 
a variant of secret sharing ([4,10]). We recall that a secret sharing scheme is a 
technique to distribute a secret (key) k into shares among a set of n participants 
in such a way that only qualified subsets, pooling their information together, 
can reconstruct the secret k, but subsets of participants that are not enabled 
to recover the secret obtain no information on the secret (see also [5,11,3,14]. 
In this paper we consider a variant which we call sequence sharing. Here, a se- 
quence k = {ki, . . . ,km), where ki is in some alphabet Ki and m G poly(n), 
is shared by providing shareholders with the “secret components” ki such that 
only a quorum of shareholders has possession of the whole sequence yet less than 
a quorum does not have possession of least one of the ki. We present a formal 
definition of sequence sharing schemes. We show that a sequence sharing scheme 
for a certain access structure can be used to transform a block cipher into a 
block cipher sharing scheme. Then we present lower bounds on the length of 
the sequence to be shared for three access structures of interest: threshold struc- 
tures, OR-of-ANDs structures, and graph-based structures. Our lower bounds 
are general and potentially apply to several other classes of access structures. 
For the same specific access structures, we construct sequence sharing schemes 
that achieve matching upper bounds, thus automatically providing block cipher 
sharing schemes of optimal (with respect to this approach) sequence size. 

Organization of the paper. In Section 3 we review the definition of secret 
sharing schemes and present the definition of sequence sharing schemes. In Sec- 
tion 2 we review the definition of block ciphers and define their security both 
in the indistinguishability and unpredictability sense, and present the definition 
of block cipher sharing schemes. In Section 4 we show the connection between 
sequence sharing and block cipher sharing. In Section 5 we present lower bounds 
for sequence sharing schemes and applications of the lower bound technique to 
specific access structures. Upper bounds for sequence sharing schemes for such 
access structures are given in Section 6. 



2 Definitions on Block Ciphers 

We start by reviewing some basic definitions about block ciphers. Then we define 
and discuss two security notions for block ciphers: a first one, often considered 
in the literature, which we call indistinguishability, following the intuition that 
a secure cipher should be indistinguishable from a random cipher; and a second 
one, that seems to be new, which we call unpredictability, following the intuition 
that the output of a secure cipher on any input should be unpredictable. Finally 
we present and formally define the new notion of block ciphers sharing schemes. 

Block ciphers: basic definitions. Block ciphers, first envisioned by Shannon 
[12], are a basic cryptographic primitive, and are today considered the most 
efficient tool for private-key encryption. Formally, let k, I be positive integers; a 
function F from {0, 1}"^ x {0, 1}* to {0, 1}* is a block cipher if for each k G {0, 1}'^, 
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the function F{k, •) is a permutation. Intuitively, one can think of F as a 2^ by 2^ 
table, with entry (k,x) containing F(k,x) and where each row is a permutation 
of {0,1}^ For convenience, we also define Fk : {0,1}* — >■ {0,1}*, for each 
k G {0, 1}”, as Fk{x) = F{k,x), namely, the permutation of the /cth row of the 
table. Here, by I we denote the block length of the cipher, by k the key length of 
the cipher, and by BC{k,1) the set of all block ciphers with key length k and 
block length 1. Although the function F does not have an inverse function, it 
does have a well defined inverse block cipher. When it is clear from context that 
F is a block cipher then we will let F~^ denote the inverse block cipher of F 
from {0, 1}” X {0, 1}* to {0, 1}*, which is defined as follows: F~^{k,y) = F^^{y). 
That is, F~^{k,y) = x if and only if F{k,x) = y. We note that a block cipher 
can also be considered as a finite version of a pseudo-random permutation. 
Block ciphers: security model. Let AC set = {F, G,H, . . .} be a set of block 
ciphers in BC{n,l). We will be interested in operators which map block ciphers 
in ACset to a block cipher in BC{k',1'), for some values k',1'. As an example, 
consider the following operator, consisting of the cascaded composition of ci- 
phers F, G, H, each with an independently chosen key. Formally, define operator 
Triple [ACset] : BC{k,1)^ — >■ BC{3k,1) as 

Triple[ACset]((fci, fe, fca), = F{ki,G{k 2 ,H{k^, x))) 

for all fci, /c 2 , ks € {0, 1}'^ and all x € {0, 1}”. 

First security notion: indistinguishability. Let Pi be the set of permuta- 
tions over {0, 1}*. We say that a cipher C is a random cipher if C is uniformly 
and independently chosen from Pi . The security of each operator in the indistin- 
guishability sense will be parameterized by the probability that an adversary 
can distinguish a random cipher from the cipher obtained by instantiating the 
operator with atomic random ciphers. In this setting there is a set ACset of 
atomic ciphers F, G,F[, . . ., and an additional cipher O, and the adversary is 
a computationally unlimited algorithm, making possibly probabilistic internal 
computation and possibly adaptive queries to such oracles. The adversary is al- 
lowed to make queries of two types. The queries of type 1 can be written as 
(C, k,x), where k G {0, l}'^, x G {0, 1}*, and either C or C~^ G ACset, and are 
answered with a value y G {0, 1}*, meaning that C{k, x) = y. The queries of type 
2 can be written as (C, x), where x G {0, 1}*, and either C = O or C = 0~^ , and 
are answered with a value y G {0, 1}*, meaning that C{x) = y. We will refer to 
such computation of the oracle as A^ACset ^ cipher O is randomly chosen to 
be either a random cipher or a cipher obtained by some composition operator, 
call it Op, over the ciphers in ACset. The goal of the adversary is to distinguish 
which of these two cases holds. Denoting by t the number of queries of type 1, 
and by q the number of queries of type 2 made by the adversary, we measure 
the success of the adversary as the difference of the two probabilities 

Pa{Op, k, I, q, t) = Prob [ F, G, iL, . . . ^ BC{n, 1); ACset ^ {F, G,H,. . .}; 

O A- Op[ACset] : A^ ACset ^ ^ 

PX{k, I, q, t) = Prob [F,G,H,...^ BC{k, 1); ACset A- {F, G,H,.. .}; 




Sharing Block Ciphers 461 



O ^ Pi : = 1 ]. 

Specifically, for all adversaries A and any K,l,q,t, we define 

BlSTA{Op,K,l,q,t) = PA(Op,K,l,q,t) ~ PlinJ^qA)- 

The goal of the analysis of the security of a cipher obtained from a certain 
operator is to bound such quantity as a function of n,l,q,t- The smaller such 
quantity the more secure the cipher is. We say that an operator Op is {t,q,e}- 
indistinguishable if for all adversaries A it holds that DIST^(Op, k, I, q, t) < e. 

Second security notion: unpredictability. The security of each operator 
in the unpredictability sense will be parameterized by the probability that an 
adversary can compute a valid input-output pair of the cipher obtained by in- 
stantiating the operator with an atomic ideal cipher. In this setting there is a 
set AC set of atomic ciphers F,G, H, . . and the adversary is a computatio- 
nally unlimited algorithm, making possibly probabilistic internal computation 
and possibly adaptive queries to such oracles. He is allowed to make queries of 
the type (C, k,x), where k G {0, 1}”, x G {0, 1}^ and either C or C~^ G AC set, 
which are answered with a y, where y G {0, 1}*, meaning that C{k,x) = y. We 
will refer to such computation of the oracle as The goal of the adversary 

is to output a pair (x,y) that is a valid input-output pair for cipher Op[ACset]. 
Specifically, define probability PKED a{Op, k, I, t) as equal to 

Prob [F,C,H,...^ BC{k, /); ACset ^ {F, G,H ,.. .}; 

O ^ Op[ACset ] ; {x,y) ^ : 0{x) = y ]. 

We say that an operator Op is (t, e) -unpredictable if for any adversary A, it holds 
that PRED^(Op, k, I, t) < 2~^ + e. 

Relationship between the two security notions. The concepts of indistin- 
guishability and unpredictability for block ciphers are related in the sense that 
the former is a less stringent requirement than the second. This is formally ex- 
pressed in the following 

Lemma 1. Let ACset be a set of atomic ciphers and let Op be an operator. For 
any adversary A there exists an adversary A' such that for all k, I, t, it holds that 

PREB a{Op,k, I, t) = P)lSTA'{Op,K,l,l,t). 

Proof. We show that any adversary breaking Op in the unpredictability sense 
can be turned into an adversary breaking Op in the indistinguishability sense 
that makes only one query to the oracle O. Specifically, given an adversary A in 
the unpredictability setting, let PREP) a{Op, k, I, t) be its associated probability 
of returning an input-output pair for Op. Then consider adversary A' doing the 
following in the indistinguishability setting: A' runs algorithm A and sets {x, y) as 
the input-output pair returned by A; then A! asks query x to oracle O; if O replies 
with y = 0{x) then A! returns: 1 else A! returns: 0. Now, notice that for the given 
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adversary A' , it holds that: 1) P\,{Op, k, 1, 1, t) = 2~\ since in the experiment of 
P\, the oracle O is a random cipher; 2) P^, {Op, n, 1,1 A) = PRED^(Op, k, t), 
because of the equivalence between the experiments underlying such two proba- 
bilities. The lemma follows. □ 

Block cipher sharing schemes. Informally, a block cipher sharing scheme 
is a method for distributing the computation of a block cipher among a set of 
participants. Specifically, some information is distributed to participants in such 
a way that all ‘qualified’ subsets of participants are able to evaluate the block 
cipher over any input, while all ‘unqualified’ subsets of participants can evaluate 
the block cipher not significantly better than guessing at random the output 
or the unknown key of the cipher (this is formalized using the unpredictability 
notion introduced before) . As before, the set of qualified subsets of participants 
is specified by a monotone access structure. We consider a model including n 
participants who interact among them in order to produce a final computation 
and send it to the intended receiver of this result. In particular, no combiner 
algorithm is required. We now present a formal definition of block cipher sharing 
schemes. 

Definition 1. Let n, t, q, s be positive integers, let e > 0, let P = {Pi, . . . , P„} 
be a set of participants, let A be a monotone access structure over set P, 
let AC set = {F, G,H, . . .} be a set of random ciphers, and let Op[ACset] : 
BC{k,IY — >■ BC{k,1) be an operator. A block cipher sharing scheme for cipher 
Op[F] and access structure A is a pair {IC,S), where K. is the key-sharing al- 
gorithm, and £ is the evaluation protocol. Algorithm /C is run by a dealer; on 
input a string k, and some random string r, K. returns an n-tuple (si, . . . , Sn). 
Protocol £ is run by a subset of participants. At the beginning of the protocol 
each participant Pi has as input Si and a string x £ {0, 1}^ At the end of the 
protocol the value y = F(k,x) is computed by this subset of participants (and 
implicitly sent to the intended receiver) or a failure symbol _L is returned. 

We say that pair (tC,£) is a block cipher sharing scheme for cipher Op[ACset] 
and access structure A if it satisfies the properties of Correctness and Unpredic- 
tability, as defined below. 

1. Correctness. For any A = {Pi^ , . . . , Pi^} £ A, any k £ (0, l}'^ and any 
X G {0, 1}^ it holds that 

Prob [F,G,B,...£- BC(k, 1); ACset £- {F, G,H ,.. .}; 

O £- Op[AC set\, r £- (0, 1}*; (si, . . . , Sn) <— lC(r, k); 
y ^Tl{x,Si^, . . . ,SiY) : Op[ACset]{k,x) = y ] = 1. 

2. {t,e)- Unpredictability. For any A = ^ A, making t queries to 

ciphers in ACset, it holds that PRFD^(Op, k, I, t) < e, where 

PRFD^(Op, K, /, t) = Prob[ F,G,H,...£- BC{k, /); 

ACset £- {F, G,H ,. . .}; O £- Op[ACset]; 
r {0, 1}*; k {0, l}’^; (si, . . . , s„) IC{r, k)~, 

{x,y) ^ . . . ,SiJ : Op[ACset]{k,x) = y]. 
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Following the original model of threshold cryptography [7,6], in the above defini- 
tion we have assumed that the participants honestly follow their protocol. Inve- 
stigations in threshold cryptography, later than [7,6], have analyzed the case in 
which the participants can behave in an arbitrarily maliciously way. We believe 
that investigating this case is of interest for our problem as well and leave it 
open here for further investigations. 

3 Definitions: Secret and Sequence Sharing 

We review the notion of secret sharing schemes and formally define the new 
notion of sequence sharing schemes. 

Secret sharing schemes. Secret sharing schemes, first introduced in [4,10], 
are the traditional cryptographic example of how to securely and reliably distri- 
bute information. In a secret sharing scheme there are a dealer, n participants, 
a distribution algorithm and a reconstruction algorithm. In a first phase, the 
dealer uses the distribution algorithm to share a secret key k among the n par- 
ticipants via shares si,...,s„, where share Si is given to the z-th participant. 
In a second phase, groups of participants may use their shares and the recon- 
struction algorithm in order to compute the secret key shared by the dealer in 
the first phase. The correctness requirement of secret sharing schemes says that 
‘qualified’ subsets of participants will successfully compute the secret key. The 
security requirement of secret sharing schemes says that ‘unqualified’ subsets 
of participants receive no information at all about the secret key. The set of 
qualified subsets of shares is specified by an access structure. As usually done 
in the context of secret sharing schemes, we will only consider monotone access 
structures, namely access structures such that if a subset A is in the structure, 
so is any other subset who contains A. 

Sequence sharing schemes. Informally, a sequence sharing scheme is a method 
for distributing a sequence of secret keys among a set of participants in such a 
way that all ‘qualified’ subsets of participants are able to recover the entire 
sequence, while all ‘unqualified’ subsets of participants receive no information 
about at least one element of the sequence. Furthermore we require that the 
shares distributed to participants consist of keys taken from the sequence to be 
shared. As for the case of secret sharing schemes, the set of qualified parties is 
specified by a monotone access structure. We now present a formal definition of 
sequence sharing schemes. 

Definition 2. Let rz be a positive integer, let V = {Pi,...,P„} be a set of 
participants, and let A be a monotone access structure over set V. A sequence 
sharing scheme for A is a pair of algorithms: the distribution algorithm, called 
T>, and the reconstruction algorithm, called TZ. On input some random string r, 
and a string k = (fci, . . . , km{n)) from some key space K = Ki x ■ ■ ■ x A'm(n)) 
and for some function m, algorithm T> returns an n-tuple (si,...,s„), where 
Si C {ki, . . . , km{n)}, for z = 1, . . . , n. On input a tuple (sjj , . . . , Si„), algorithm 
TZ returns an element from set 77 U {T}. 
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We say that a pair of algorithms {V, TZ) is a perfectly secure sequence sharing 
scheme for access structure A and for sequences over K if it satisfies the pro- 
perties of Correctness and Perfect Security, as defined below. 

1. Correctness. For any A = {Pi ^ , • • • , PiJ\ G A, and any {k \, . . . , kjn{n)) G K, 
it holds that 

Prob [ r ^ {0, 1}*; (si, . . . , ^ T>{r, (fci, . . . , k^^n})) ■ 

• j ^iu ) (^1 ; • ■ • j ^m(n) ) ] 

2. Perfect Security. For any A = {Pi^, . . . , Pi^} ^ A, for each distribution T 

over K, and all ,... ,Si^) C K, there exists an t G m{n)} such 

that for all u G iFi, it holds that po{v) = Pi{v), where 

Po{v) = Prob[r^ {0, 1}*; (/ci, . . . , fc„(„)) ^ 

(s/ll, ■ ■ ■ ) ^ (/^Ij ■ ■ ■ 1 ■ 

k% — U I shi^ — Sj,^ , . . . , shi^ — ^iu ] ! 
pi(u) = Prob [r^ {0,1}*; (/ci,...,fcm(„)) ^.7^(1”, m) : ki = v]. 

The value m{n) in Definition 2 is also called the sequence size of sequence sharing 
scheme {T>,TZ). Note that a subset of parties not in the access structure is not 
disallowed to obtain, for instance, the value of all but one of the keys in the input 
sequence that is shared. This argument implies that a sequence sharing scheme 
for sharing a sequence k = (fci, . . . , km(n)) may not be a secret sharing scheme 
for sharing secret key k' = ki o ■ ■ ■ o kjn{n)- On the other hand, given a sequence 
sharing scheme {T>,TZ) for sharing a sequence k = {k\, . . . ,km(n)) according 
to access structure A, it is easy to derive a secret sharing scheme {'D',TZ') for 
sharing a secret k' according to access structure A. Specifically, algorithm T>' 
writes the secret key k' as k' = k[ (B ■■■ (B randomly chosen k[, and 

then uses algorithm T> to share the sequence {k[,. . . , algorithm TZ' uses 

algorithm TZ to recover sequence (/c{, . . . , and then computes k' by xoring 

the elements of this sequence. 

4 Sequence Sharing vs. Block Cipher Sharing 

In this section we show the connection between sequence sharing and block cipher 
sharing. Specifically, we show that given a sequence sharing scheme and a block 
cipher (for which, in general, it is not known how to share the computation), it 
is possible to construct a block cipher sharing scheme. Formally, we obtain the 
following 

Theorem 1. Let n, I, k be integers, let F be a block cipher with key length k and 
block length I, and, for any function m, define operator m-Comp : BC{k,1) — >■ 
BC{m ■ K, 1) as 



m-Comp[F]((/ci, . . . , /?„(„)), x) = F{km{n),F{km{n)-i,- ■ ■ , F{ki,x) •••)), 




Sharing Block Ciphers 465 



for all X G {0,1}^, and all ki, . . . , km{n) G -f^lso, let V be a set of n 

participants, and A be an access structure over V, and assume there exists a se- 
quence sharing scheme for A and for sequences over ({0, !}'«)'”(") . If t <2'^ there 
exists a {t, e) -unpredictable block cipher sharing scheme for cipher TO-Comp[i^] 
and access structure A, where e = tj2'^ . 

In the rest of this section we prove Theorem 1 . Informally, our basic approach is 
to schedule the m(n) independent keys used by the composed cipher TO-Comp[F] 
through the distribution algorithm of the sequence sharing scheme. In other 
words, we securely share m-Comp[i^] among the participants by sharing the 
sequence fci, . . . , of keys for m-Comp[F] among them through the sequence 
sharing scheme. Note that all subsets of participants in the access structure A 
can compute all keys k\, . . . Etnd thus compute m-Comp[F](a;) for any 

X G {0, 1}”. On the other hand, all subsets of participants that do not belong 
to the access structure A will get no information about at least one of the keys 
ki and therefore will not be able to guess the value of m-Comp[T'] on an input 
X significantly better than by guessing at random either the output of the value 
of the key. Now we proceed more formally. 

Let us denote by {V, TZ) a sequence sharing scheme for access structure A. We 
now present a block cipher sharing scheme (1C,£) for cipher m-Comp[i^]. 

The algorithm 1C. On input parameters 1", 1'^, and a function m, do the fol- 
lowing. First, uniformly choose K-bit keys k\, . . . , km{n)- Second, run algorithm 
T> on input (fci, . . . , km{n)) and let (si, . . . , s„) be its output. Finally, return the 
tuple (si, . . . , s„) as output. 

The protocol £. Each participant Pi is given Si as additional input and writes 
Si as a subset KSi of K = {ki, . . . , fcm(n)}- For i = 1, . . . ,m{n), let ji be a fixed 
index (for instance, the smallest) in {1, . . . ,n} such that the subset KSj^ of keys 
given to participant Pj^ contains key ki. Then the participant having key 
ki in its subset KSj^, computes yi = F{ki,x) and sends it to a (not necessarily 
different) participant Pj.^ having key k 2 in its subset KSj^. For i = 2, . . . , m{n), 
the participant Pj^ that has received yi-i, computes yi = F{ki,yi-i) and sends 
it to a (not necessarily different) participant having key ki+i in its subset 
Finally, participant can compute y = ym(n)- The output of the 

protocol is set equal to y. If no participant can compute ym{n): the output of the 
protocol is set equal to T. 

Correctness property of pair (IC,£). The correctness property of (IC,£) fol- 
lows by using the correctness property of {V, TZ). Specifically, the latter property 
implies that, for each i = 1, . . . , m{n), there exists at least one participant Pj^ in 
A whose share Sj^ contains key ki. Therefore, any subset A G A of participants 
can recover the sequence (fci, . . . , km(n))- Now, observe that protocol £ is con- 
structed so to simulate the computation of cipher m-Comp[E] using interaction 
between the various parties in A, and therefore, the value y will be correctly 
computed with probability 1. 

Unpredictability property of pair {K.,£). Assume by contradiction that 
there exists an integer x and a group A ^ Aof participants who can compute y = 
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m-Comp[F]((fci, . . . , km{n)):x) with probability e and making t queries to cipher 
F. Let SKa = {ki ^ , • • ■ , be the sequence of keys among {k \, . . . , fcm(„)} that 
the participants in A are distributed by the dealer and let d = m{n) — \SKa\- 
We can divide sequence {km(n)i ■ ■ ■ ■, k\) into subsequences S'o, S \, . . . , Sd, Sd+i, 
defined as follows. The (possibly empty) sequence 5'd+i is the sequence of keys 
{kra{n),kra{n)-i, ■ ■ -,^ 6 ^+ 1 ), where €d+i is the largest index in { 1 , . . . ,m(n)} such 
that all keys in Sq are in SKa and fced+i-i is not. Similarly, the (possibly empty) 
sequence S'o is the sequence of keys (fceo-i) ■ • ■ ) ^ 2 , fci), where Cq is the smallest 
index in m(n)} such that all keys in So are in SKa and fceo is not. 

For j = d, ... ,1, the non-empty sequence Sj is constructed as the sequence 
(fcej+i-i) ■ ■ ■ ,kej), where Cj is the largest index in m(n)} such that key 

/Cej+i-i is not in SKa, all remaining keys in Sj are in SKa and key k^^-i is 
not in SKa- We can associate an operator to each of the d sequences Si, . . . , S^. 
Specifically, define operator Gj : BC{n, 1) — >■ BC{k, 1) as 



Gj[F ; (fee 



, ke^)]{k, x) = F{k, F{kej^,-2, ■■■ , F{ke^ ,x) ■■■)). 



Operator Gj can be also seen as operator F composed with a fixed permutation. 
Therefore, note that the security, in the indistinguishability sense, of the operator 
Gj is essentially the same as that of the original cipher F (the proof of this fact 
is simple, but not necessary for the rest of the proof). 

We now define operator G as the composition of all operators Gi, . . . , G^. 
Namely, 



G[F]{ki, ...,kd,x) = Gd{kd,Gd-i{kd-i, ■ ■ ■ ,Gi{ki,x) ■ ■ •)), 

for all X G {0, 1}* and ki, . . . ,kd G {0, 1}”. Note that G[F'] can essentially be 
seen as a projection of m-Comp[F'] to a cipher where some of the keys have 
been fixed to some specific values (namely, those in SKa). The main result in 
[1] can be restated as saying that for all adversaries A and all d, k, I, q, t, it holds 
that DIST/i((i-Comp, K, 1, g, t) < (t/2'^)‘^. We note that extending the proof in 
that paper to the case of G presents no technical difficulty. The assumption that 
A ^ A implies that IS'/FaI < m{n) — 1 and therefore d > 1; we thus obtain the 
following 

Lemma 2. For any adversary A, all K,l,t,q such that t < 2”, and all j = 
1, . . . ,d, it holds that 

mSTA{G,K,l,q,t) < t/2^. 

The (t, e)-unpredictability, for e = t/2"^, of m-Comp[F'] directly follows by com- 
bining Lemma 1 with Lemma 2. 

5 A Lower Bound Technique for Sequence Sharing 

In this section we prove lower bounds on the sequence size of a sequence sharing 
scheme for several access structures, such as threshold structures, graph-based 
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access structures, and structures that can be represented as an OR-of-ANDs 
boolean circuit. In fact, we give a general technique for finding lower bounds for 
sequence sharing schemes, which can potentially apply to several other access 
structures. These bounds, as we show in Section 6, turn out to be tight. The 
presentation is divided as follows. First, in Section 5.1, we present our general 
lower bound technique. Then, in Section 5.2, we apply the general technique to 
specific examples of access structures, of particular interest. Because of Theo- 
rem 1, any lower bound on the sequence size of sharing schemes gives a lower 
bound on the number of iterations of the atomic cipher necessary to obtain a 
block cipher sharing schemes using the composition approach suggested in this 
paper. 

5.1 A General Lower Bound Technique 

We show a lower bound on the sequence size for any sequence sharing scheme as a 
function of the number of subsets that satisfy a certain condition with respect to 
the access structure. Before stating our result, we need the following definition. 

Definition 3. Let S' be a set of size n, and let A be a monotone set of subsets 
of S. We say that set ISs,a C 2^ is a maximal independent set associated with 
S and A, if for any Si, S 2 G ISs,Ai it holds that Si, S 2 ^ A, and Si U S 2 G A. 

The terminology used in defining the above set is taken from its instantiation 
for the case of graph-based structures, which we will see more in detail later. 
Now we can state our result as the following 

Theorem 2. Let V he a set of n participants, let A he an access structure over 
V. Also, let {T>,TZ) he a sequence sharing scheme for A, and let IS-p^A he a 
maximal independent set associated with set V and occess structure A. If m{n) 
is the sequence size of {'D,TZ), then it holds that m{n) > \IS-p^a\- 

Proof. We define a function that associates to a set S in IS-p^A the keys that 
are not received by the parties in subset S after an execution of algorithm 1C, 
and prove that any two distinct inputs to such function are mapped to disjoint 
subsets of keys. The theorem then follows as a direct consequence. Now we 
proceed more formally. 

Let K be the set of keys that are in the sequence that is to be shared ac- 
cording to scheme (/C,£) (i.e., if the sequence contains all distinct keys, then 
K = {k \, . . . , km{n)})- Let (si, . . . , s„) be the output of /C. Note that by defini- 
tion of sequence sharing scheme it holds that Si C K, for i = 1, . . . , n. Now, define 
function g : IS-p^A 2^ such that for any S G IS-p^A^ where S = {Pq , . . . , }, 

g{S) is equal to Ar\U“^iSq . Now take 81,82 G I 8 -p^a\ and assume by contradic- 
tion that g{ 8 i)r\g{ 82 ) yf 0. Recall that by definition of maximal independent set, 
we know that both 8 \ , 82 do not belong to A, and S'! U 52 G A. However, by our 
assumption, we obtain that at least one key is both in the subset of keys g{ 8 i) 
and in the subset of keys g{ 82 ), which implies that there is at least one key that 
5i U 82 won’t be able to recover out of K. This implies that g{ 8 \) U g{ 82 ) ^ A, 
which contradicts the definition of maximal independent set. □ 
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5.2 Lower Bounds for Specific Access Structures 

We consider specific access structures that are of particular interest in the li- 
terature and show that Theorem 2 can be used to compute a lower bound 
on the sequence size of any sequence sharing scheme for such structures. Let 
P = {Pi, . . . , P„} be a set of participants. 

Threshold structures. Let t be a positive integer such that t < n. The {t, n)- 
threshold structure is defined as At^n = {S' | S' C P, [S'! > t}. By definition of 
independent set, we observe that for this structure the set ^ is the set of 

all subsets of V of size t—1. Therefore, by Theorem 2 we obtain that the length 
of the sequence in any sequence sharing scheme for access structure At,n is at 
least the number of subsets of V of size t—1, that is, > (j"i). 

OR-of-ANDs structures. Let a, b be positive integers such that a,b ^ n, let 
Ti = (Pii, . . .,Pi„}, let T2 = |Pji,...,PjJ and T = Ti n P 2 , where \T\ = c, 
for some positive integer c. The OR-of-ANDs structure is defined as Aor,a,b,c = 
{S\S C P, (S = Ti)V {S = T 2 )}. By definition of independent set, we observe 
that for this structure the set ISv a t. can be characterized as the set of 
subsets that can be written as A U Y, where either A = Ti \ {cc}, Y = P 2 \ {y}, 
for all X G Ti and y G T2 such that x,y ^ T or X = Ti\ {z}, Y = P2 \ {z}, 
for all z G T. From this characterization, we obtain that \IS'p^Aora b J — ~ 

c)(b— c) + c. Therefore, by Theorem 2 we obtain that the length of the sequence 
in any sequence sharing scheme for access structure Aor,a,b,c is greater than or 
equal to (a — c){b — c) + c. 

Graph-based structures. Let G„ = (V,E) be a graph such that \V\ = n. The 
G„-based access structure is defined as Ag„ = {S\S QV, x,y G S, {x, y) G E}. 
By definition of independent set, we observe that for this structure the set 
IS-p,AGn characterized as the set MIS(G„) of all maximal and indepen- 

dent subsets of nodes of G„ (namely, those subsets S of nodes such that no two 
nodes having an edge in G„ are in S, and such that adding one node to S would 
violate this property). We note that even for simple graphs as a path among 
n nodes, the size of a maximal and independent set is at least 2"/^. Therefore, 
by Theorem 2 we obtain that there exists a graph G„ such that the length of 
the sequence in any sequence sharing scheme for access structure Ag„ is greater 
than 2"/^. 

We obtain the following 

Theorem 3. Let V be a set of n participants, let A be an access structure over 
P. For any sequence sharing scheme {T>,TZ) for A, If m{{T>,TZ), A) is the se- 
quence size of {T>,TZ), then it holds that 

1. if A = At,n then m{{V ,TZ) , A) > 

2. if A = Aor,a,b,c then m{{T>, TV), A) > {a — c){b — c) c 

3. ifA = AG„ thenm{{V,n),A) > |MIS(G„)| > 2”/^. 
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6 Upper Bounds for Sequence Sharing Schemes 

In this section we show sequence sharing schemes for access structures of spe- 
cial interest in the literature, such as threshold structures, graph-based access 
structures, and structures that can be represented as an OR-of-ANDs boolean 
circuit. In all three cases we obtain an upper bound on the sequence length of 
the specific sequence sharing scheme that exactly matches the lower bound given 
in Section 5. Because of Theorem 1, any upper bound on the sequence size of 
sharing schemes gives an upper bound on the number of iterations of the atomic 
cipher necessary to obtain a block cipher sharing schemes using the composition 
approach suggested in this paper. The technique used to construct the sequence 
sharing scheme is similar in all three cases. Let V = {Pi, . . . , P„} be a set of 
participants, and recall the definitions of access structures At,n, Aor,a,6,c Ag„ 
from previous section. 

Threshold structures. Let m be a function defined as m{t,n) = (j"i), enu- 
merate all subsets of V of size t — 1 as Ai, . . . and define sequence 

k = (fci, . . . , km{t,n))- Then define a sequence sharing scheme {V, TZ) for access 
structure At,n as follows. For i = 1, . . . , n, algorithm T> gives to party Pi GP all 
keys kj such that Pi ^ Aj, for j = 1, . . . , m{t, n). Algorithm TZ goes as follows. 
Let A C P be such that |A| > t. Then for any i G (1, . . . , m{t, n)}, there exists 
a Pj G A such that Pj ^ A^, and therefore Pj has been distributed ki. 

OR-of-ANDs access structures. Let m be a function defined as m{a, b, c) = 
(a — c)(b — c) + c, enumerate all subsets of P that can be written as A U F, 
where either A = Ti \ {x}, F = T 2 \ {j/}, for all x G Ti and y G T 2 such 
that x,y ^ T or A = Ti \ {z}, F = T 2 \ {z}, for all z G T. Let us call these 
subsets Ai, . . . , A,„(£( c)) and define sequence k = (fci, . . . , k^(^a,b,c))- Then define 
a sequence sharing scheme (P,P) for access structure Aor,a,b,c as follows. For 
i = 1, ... ,n, algorithm T> gives to party Pi G P all keys kj such that Pi ^ Aj, 
for j = 1, . . . , m(a, b, c). Algorithm P goes as follows. Let A C P be such that 
A G Aor,a,b,c- Then for any i G (1, . . . , m(a, &, c)}, there exists a Pj G A such 
that Pj ^ Ai, and therefore Pj has been distributed ki. 

Graph-based access structures. Let m be a function defined as m{n) = 
|MIS(G„)|, where recall that MIS(G„) is the set of all maximal and indepen- 
dent subsets of nodes of graph G„. Also, let us enumerate all subsets of P in 
MIS(G„), as Ai, . . . , A,„(„), and define sequence k = {k \, . . . , k.ra(n))- Then de- 
fine a sequence sharing scheme (P, P) for access structure Ajn{n) as follows. For 
i = 1, ... ,n, algorithm T> gives to party Pi G P all keys kj such that Pi ^ Aj, 
for j = 1, . . . ,m{n). Algorithm P goes as follows. Let A C P be such that 
A G Am(n)- Then for any i G (1, . . . , m(n)}, there exists a Pj G A such that 
Pj ^ Ai, and therefore Pj has been distributed ki. 

We obtain the following 

Theorem 4. Let P he a set of n participants and let A be an access structure 
over P. It holds that: 
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1. if A — At^n then there exists a sequence sharing scheme (fD,TZ) for A whose 
sequence size is equal to 

2. if A = Aor,a,b,c then then there exists a sequence sharing scheme {V, TZ) for 
A whose sequence size is equal to (a — c){b — c) + c; 

3. if A = Ag„ then there exists a sequence sharing scheme {V, TZ) for A whose 
sequence size is equal to |MIS(G„)|. 
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Abstract. This paper examines some ways risk arises in electronic commerce 
systems, and considers whether and how cryptography can be used to manage 
these risks. The paper suggests a taxonomy of information artifacts based on 
the kinds of risks they give rise to. The paper proposes protection regimes for 
several members of the taxonomy. 



1 Business and Risk 

More and more, businesses are offering products and services over electronic net- 
works. Doing this generates risks. Electronic products can be stolen, damaged, or 
destroyed; electronic services can be stolen, corrupted, or disrupted. 

In response to a growing awareness of these risks, a variety of security technologies 
have been developed. Many rely on the application of cryptographic confidentiality 
and integrity protection to stored or transmitted data. 

In this paper we discuss a set of risks to electronic products and services, and in- 
vestigate how well cryptographic mechanisms manage them. 



2 Risk 

Well start with a simple definition of risk, derived from [1]: risk is the probability of a 
failure multiplied by the consequences of that failure. 

risk = probability ( failure) * consequence ( failure) 

For the purposes of this paper, well consider a failure to be any event which causes 
a business to lose money through loss of, or damage to, an electronic asset. We won’t 
consider how to measure the probability of a failure. In general an assumption that the 
probability of a failure is non-zero and changes in a predictable way over time will be 
enough to make our points. 
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Our definition of risk will make sense if we can assign a number to the conse- 
quences of a failure. In a business context there is a convenient metric: the dollar 
value of the loss which a failure inflicts on the business. We will adopt this quantity 
as the definition of the consequence of failure, without going into consideration of 
how to measure it. Thus risk amounts to the expected dollar loss due to a failure. 



3 Value 

For failures to have consequences, electronic assets must have value. In today’s world 
lots of them do: electronic cash has direct cash value; digital documents, music, and 
movies can be sold and therefore have values. Demographic information — which can 
be used to generate business opportunities — has a value. Even a connection to an 
information system (for example, an Internet Service Provider connection) has a value 
independent of the value of the information system itself. 



4 Intrinsic and Contingent Value 

We consider two kinds of value in this paper: intrinsic value and contingent value. 

An information artifact has contingent value if a failure "in hit-space" (loss, de- 
struction, modification, or disclosure of the information artifact) causes a loss "in 
atom-space" (for example, loss or devaluation of a physical asset). Examples of in- 
formation artifacts with contingent value include: 

ownership certificates 
coupons (with expiration dates) 
contracts 

An information artifact has intrinsic value if a failure "in bit-space" is a loss all by 
itself — that is, if the information artifact is the asset. Examples of information arti- 
facts with intrinsic value include: 

electronic books, music, and movies 
e-cash 



5 Characteristics of Cryptography 

Every cryptographically protected information artifact has three decay properties: 

Key decay: Because an attacker can exhaustively search a space of 
cryptographic keys over time, the "remaining effective strength" of 
protection applied to an information artifact by the use of encryp- 
tion with a particular key decreases over time. 
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Algorithm decay: Because attackers can make mathematical prog- 
ress on the problems underlying cryptosystems, the "remaining ef- 
fective strength" of protection applied to an information artifact by 
the use of encryption using a particular algorithm decreases over 
time. 

Secrecy decay: Because people aren’t good at keeping secrets (es- 
pecially secrets consisting of long strings of random bits) the pro- 
tection applied to an information artifact by the use of encryption 
using a particular secret (or "private") key may decrease over time. 

For example, shares of a secret sharing scheme, or characters of a 
password, may "leak" over time. 

These three properties suggest an obvious law 

The law of effectiveness decay: 

For every information artifact protected at time i by the applica- 
tion of encryption under a particular key using a particular algo- 
rithm, there is a time of failure f > i at which the remaining ef- 
fective strength of the protection provided by the encryption is 
zero. 

A consequence of the law of effectiveness decay is that at time/, the probability of 
failure is 1 . And at that time the risk is equal to the consequence of failure. 



6 Alice Risk 

Information artifacts which have contingent value are like Alice through the looking 
glass - they can be moved from "atom-space" to "bit-space" and back again. When 
they’re in "atom-space" they’re not subject to risk in "bit-space", and vice versa. 

An example of this is a title deed. Let’s say we start with a paper title deed. We 
can convert the paper form of a title deed into an electronic form. Then we can apply 
an integrity-protection primitive (like a digital signature, for instance) to it, give it an 
expiration date, and destroy the paper deed. 

While it is in electronic form, it’s subject to theft or modification if the encryption 
can be broken. But now consider what happens when the electronic form of the deed 
expires. We can use the electronic form of the deed to generate a new paper title deed 
just before the expiration date. Immediately after this, the electronic deed expires and 
the new paper form becomes effective. We’ve taken the deed "out" of "bit-space" and 
moved it back into "atom-space". If we design our expiration (and record-keeping) 
mechanisms properly, there’s no remaining risk associated with the electronic deed, 
because it now has zero value (having expired). The risk has been transferred to the 
new paper deed back in "atom-space". 
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7 Mitigating Alice Risk 

The preceding discussion suggests a way to mitigate Alice-type risk: we simply (1) 
establish a risk threshold, (2) predict the rate of effectiveness decay, and (3) design 
expiration intervals to insure that the risk never reaches our threshold while the artifact 
is still in "bit-space". Well call this technique "periodic manifestation", since the 
artifact becomes manifest in atom-space periodically, whenever the risk in "bit-space" 
gets too high. 

We should note that in order for periodic manifestation to be effective, it is neces- 
sary to design the "bit-space" system so that it has an arrow of time. If an attacker can 
ever turn back the clock — so that an expired information artifact appears to be valid — 
he can re-introduce risk. 

Periodic manifestation may also require bookkeeping to keep track of which ver- 
sion of an Alice-type artifact (the "bit-space" version or the "atom-space" version) is 
valid at any particular time. 

The following diagram shows how risk changes over time for Alice-type informa- 
tion artifacts in a periodic manifestation system: 
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8 Bob Risk 

Information artifacts which have inherent value are not like Alice. They can’t move 
back and forth across the boundary between "bit-space" and "atom-space". Since the 
authors can’t do this either, well say that artifacts which have inherent value are like 
Bob. Once an inherent-value artifact exists in "bit-space", it’s stuck there, and it is 
subject to risk in "bit-space" from that point on. 
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An example of this is a digital music track. Let’s say we start with a studio record- 
ing session. We can capture the artist’s performance and apply a cryptographic copy- 
protection primitive to it. Then we can distribute it. 

Once we’ve distributed the protected artifact, an attacker can make a copy of it and 
keep it indefinitely. The attacker can work as long as he wants in the privacy of his 
own computer to break the protection which has been applied. And since the artifact 
has intrinsic value, there’s no way we can make it "expire" (unless we’re lucky and the 
musical genre goes out of style in a hurry and the attacker no longer wants to hear the 
song). The risk cannot be removed from "bit-space" and transferred back to "atom- 
space". 



9 Mitigating Bob Risk 

The preceding discussion suggests that some Bob-type risks cannot be effectively 
mitigated. However there is some hope. If a Bob-type information artifact’s value 
decays over time, we may be able to choose sufficiently strong cryptography that by 
the time effectiveness decays to zero, the value of the artifact has also decayed to zero. 

In particular, if a Bob-type information artifact’s value depreciates (that is, its value 
decreases monotonically over time), then we can manage the risk associated with the 
artifact by (1) choosing a risk threshold, (2) predicting the rate of effectiveness decay 
of our cryptographic technology, and (3) choosing a strength of initial protection 
which insures that the risk never exceeds the chosen threshold (though it may ap- 
proach that threshold asymptotically). 

We note that applying cryptographic confidentiality protection to secret data always 
creates a Bob-type artifact. 

The following diagram shows how risk changes over time for depreciating Bob- 
type information artifacts in a system like the one we’ve just described. 
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10 Commodity Risk 

We choose to call information artifacts (Alice-type or Bob-type) whose value changes 
unpredictably "commodities". Our inability to predict the consequences of a failure to 
protect them makes it difficult to choose either an expiration interval or an initial 
strength of protection proportionate to the risk they create. 
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Commodity information artifacts can fall into at least the following four categories: 

A1 Alice-type; value trades within a predictable range during any interval. 

A2 Alice-type; value does not trade within a predictable range for some intervals. 

B 1 Bob-type; value trades within a predictable range during any interval. 

B2 Bob-type; value does not trade within a predictable range for some intervals. 

This paper argues that the risk associated with commodities of type A1 can be miti- 
gated by assuming that the artifact’s value always takes on the maximum predicted 
value during the current interval, and using periodic manifestation. It might be 
worthwhile to consider how to manage the risk associated with the other three types of 
commodities. 
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Abstract. Reference to the words profession and ethics in the media is becom- 
ing increasingly common as is the incidence of litigation and exposure by indi- 
viduals and businesses alike to information technology. Yet, the meaning of the 
terms profession and ethics remains nebulous for most of us. Perhaps Levin [1] 
had the right idea in simplifying our understanding when in a speech he used the 
principle of the camel in illustrating the meaning of a profession: "few can define 
it, but none can fail to recognise it." This is equally appropriate to ethics. 

One of the outcomes arising from the recent Y2K situation was an enhanced 
awareness by society at large of its dependence on IT systems. Y2K also focussed 
a spotlight on those working in the IT industry with an expectation that they per- 
form their work in a professional manner. Ethics has always been considered a 
cornerstone of professional practice. Certainly a policy of caveat emptor (let the 
buyer beware) is inappropriate with respect to the computing profession. It is time 
to reinforce our professionalism through adherence to a rigorous Code of Ethics 
specified by a professional IT society so that a policy of credat emptor (let the 
buyer bust) becomes the accepted norm.. . . 



1 Definitions 



1.1 Ethics 

Webster’s defines ’ethic’ as "the discipline dealing with what is good and bad with 
moral duty and obligation". Roget’s Thesaurus places ethic under morality - to incur a 
duty, to accept responsibility, to make oneself liable. Reference is also aptly made to 
a ’conduct of duty’ in the context of ’professional status’ [2]. Perhaps a more useful 
description is that ethics are a „framework for human conduct that relates to moral 
principles and attempt to distinguish right from wrong“ [3]. 
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Rarely will a particular ethical dilemma lend itself to a simple black/white solution. 
Thus, codes of ethics need to be viewed as a framework to be used in working towards 
an outcome rather than as a specific solution to a problem. 



1.2 Professional 



Experience dictates that attempting to define a profession is fraught with great diffi- 
culty. Levin [1] a British journalist in a valuable speech given in New Zealand chose 
instead to rely on the principle of the camel: 

"few can define it, but none can fail to recognise it." 

The Australian Council of Professions defines a profession as follows: 

"A profession is a disciplined group of individuals who adhere to 
ethical standards and uphold themselves to, and are accepted by the 
public as possessing special knowledge and skills in a widely 
recognised body of learning derived from research, education and 
training at a high level, and who are prepared to exercise this 
knowledge and these skill in the interest of others. 

It is inherent in the definition of a profession that a code of ethics 
govern the activities of each profession. Such codes require behaviour 
and practice beyond the personal moral obligations of an individual. 

They define and demand high standards of behaviour in respect to the 
services provided to the public and in dealing with professional 
colleagues. 

Further, these codes are enforced by the profession and are 
acknowledged and accepted by the community. " 

(http : //w w w . austprofes sions .com . au) 

The ACP definition above reinforces the role of a professional society such as the 
ACS in enforcing the adherence of its members to their respective codes of ethics. 

Generally it is accepted that a profession can be defined through the identification 
of a body of common knowledge [4] which embraces the following: 



(i) A standard educational curriculum 

(ii) A requirement to hold an approved tertiary qualification together 
with relevant experience 

(iii) A Code of Ethics 

(iv) An acceptance of personal liability 

(v) A commitment to ongoing professional development and 

(vi) A licence or certificate to practise 



A code of ethics is but one of the necessary requirements for a practising 
professional in any profession today. 
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2 Key Ethical Concepts 

Mason [5] identified four issues relevant to IT which he summarised with the acronym 
PAPA which stood for ’privacy’, ’accuracy’, ’property’ and ’accessibility’. Asenjo [6] 
presents an analysis of fifteen different ethical codes and concludes that "codes of 
ethics of IS professionals do treat as very important the four ethical issues singled out 
by Mason." 

Another study performed under the auspices of IFIP analysed the codes of ethics of 
30 societies of computing professionals [7]. The findings of the IFIP project similarly 
supported the view that a majority of the codes examined refer to the PAPA issues. 



3 The Australian Computer Society 

During the period of existence since its formation in 1966 the Australian Computer 
Society has embraced each of the six points above together with other professional 
bodies. A recent result of this was the admission of the ACS on 1 lanuary, 2000 into 
the Australian Council of Professions. Ostensibly the first society of IT professionals 
to be granted this honour in their own right in the world. 

The ACS boasts a current membership of approximately 16,000 and has Branches 
in each State and Territory of Australia. It is affiliated with international IT bodies 
such as the International Federation of Information Processing (IFIP) and the South 
East Asia Regional Computer Confederation (SEARCC). 

Professionalism has been a stated priority of the ACS since the author’s national 
presidency in 1990-1991 and has been pursued by subsequent Presidents of the 
society. The ACS introduced the Practising Computing Professional (PCP) scheme 
nationally in 1991. The scheme recognises those members who engage in ongoing 
education activities as Practising Computing Professionals, or PCP's with a certificate 
issued to individuals recognising this status. 

In 1993 the ACS introduced an industry based Certification Program at a masters 
level consisting of four one semester modules. It is delivered by distance education 
and can be completed part-time within two years. Examinations are conducted by 
Deakin University in 95 cities throughout Australia and 33 cities in the Asia Pacific 
region [acs.org.au.]. 

To complete the Certification Program, participants must pass the two core 
subjects: IT Trends and Business Legal and Ethical Issues and two subjects from one 
of the following specialist streams: 

• IT Strategy and Management 

• Project Management 

• Marketing and Selling IT 

• e-Business (new in 2000) 

• Software Engineering (new in 2000) 

• Systems Integration - To be phased out in 2000 

• Data Communications - To be phased out in 2000 
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The ACS supports a number of functional boards similar to the Technical 
Committee structure of IFIP. The boards most relevant to this topic include the 
Membership Board, the Community Affairs Board and the Technical Board. 

Within the ACS Community Affairs Board the Economic, Legal and Social 
Implications Committee (ELSIC) addresses ethics & privacy. Recently the committee 
established a Computer Ethics taskforce while the Committee has for a number of 
years been proactive in making a number of privacy submissions to the Australian 
government. Eor example, a response to the Attorney-General’s Department request 
for comments on 'A privacy scheme for the private sector: Release of Key Provisions’ 
(http://www.acs.org.au/boards/cab/elsic/privacy-2000-01-agd.html). 

Position on Privacy - (http://www.acs.org.au/president/1998/past/privpos.htm). 
Regulation of the Internet - (http://www.acs.org.au/boards/cab/regulation.html) and 
cryptography as per the lEIP TCll statement http://www.acs.org.au/news/caelli.htm. 

All professional members of the ACS are bound by the ACS Code of Ethics 
(http://www.acs.org.au/national/pospaper/acsl31.htm) and the Code of Professional 
Conduct and Professional Practice (www.acs.org.au/national/pospaper/code2.htm). A 
Disciplinary Committee to act on allegations of improper professional behaviour is 
maintained as a standing committee by the ACS to take disciplinary action where 
necessary. 



4 The Australian Council of Professions 

The initial constitution for the (then) Federal Council of Professions was approved on 
12 November 1971. The main objectives of the new Council were seen at that time as 
being to maintain and advance the standards and status of the professions in the com- 
munity generally and to uphold and advance the honour and reputation of the profes- 
sions and the integrity and standing of the members thereof. 

The current vision statement published on the Council’s web page 
(http://www.austprofessions.com.au) is as follows: 

"The ACT, reflecting the needs and commitment of its growing 
constituency, strives to become the recognised authority on 
professional ideals, conduct, standards and practice in the service of 
the community. 

It will have an active voice on matters of national development, 
regulation and education based on well researched information. 

It will make good use of modern technologies and will communicate 
well with government and the community. 

The ACT will be efficient, cohesive, dynamic and well-focussed in 
harnessing the resources of its expanding membership to address the 
issues of common professional concern. " (Adopted, General Meeting, 

17 November 1997) 

As the national peak body of Australian professional associations the ACP sees its 
role as advancing and promoting professionalism for the benefit of the community. 
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5 Professional Standards Bill 

In 1999 the New South Wales government introduced the Professional Standards Bill. 
In essence the bill capped the liability on time and money of a „Professional of Rec- 
ord“ who is listed on an approved register. 

The NSW Government has defined a 'Professional of Record" as the professional 
who authorised the documents or actions related to the matter in contention in an ac- 
tion within the ambit of the legislation. The Australian Council of Professions en- 
dorses the incorporation of this definition in the legislative framework, in which an 
"Approved Register" is defined as: 

(a) one in which membership is voluntary and is limited to professionals who 

i. have defined minimum qualifications in both tertiary education and expe- 
rience such that the holders can operate as professionals independently 
within their field of competence; 

ii. adhere to a Code of Ethics (the NSW Government's special requirements 
for risk management and continuing professional development are an in- 
herent part of ethical practice required by the Code); and 

iii. are covered by professional indemnity insurance, either directly or indi- 
rectly, to the level required by the legislation; and 

(b) one which provides for 

i. eligibility competently assessed using established processes against well 

defined criteria for tertiary education standards, professional experience 
and continuing professional development; 

ii. access by the public to a register of current members and ability to lodge 

complaints; 

iii. disciplinary action for breaches of the Code of Ethics; 

iv. the right of appeal by professionals judged ineligible for entry to the 
scheme or judged liable for disciplinary action; 

V. access to a mediator or arbitrator, nominated by the President of the Pro- 
fessional Association, to assist in the resolution of disputes; and 



vi. scheme to be run by a "Registration Board" administered by the Profes- 
sional Association and able to draw on the full range of Professional As- 
sociation experience and expertise. [http://www.austprofessions.com.au] 
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The Australian Council of Professions further proposes that the following aspects 
be included in the processes and documentation for a register to be submitted for ap- 
proval under any legislation: 

i. definition of standards of qualification (both academic and experience) for 

admission to the register; 

ii. processes for accreditation of educational programs (both Australian and 

overseas) which satisfy the academic qualification requirement; 

iii. processes for assessment of applicants’ conformance to the qualification 
requirement; 

iv. process for appeal by applicants who have been judged ineligible for entry 
to the register; 

V. definition of standards to be achieved in continuing professional develop- 
ment; 

vi. processes for assessing conformance of persons on the register to the pro- 
fessional development standards (quality and quantity factors); 

vii. defined Code of Ethics; 

viii. defined requirements for professional indemnity insurance; 

ix. process for issuing of annual practising certificates on payment of the an- 
nual fee; 

x. disciplinary processes for breaches of conditions of register; 

xi. process for appeal by persons subject to disciplinary actions; 

xii. processes for mediation and arbitration in disputes; and 

xiii. administrative processes and fee structure for the register. 

The Australian Council of Professions expects that, as a result of this practice, reg- 
istration by the Professions would supersede other registration procedures so that costs 
on the individual professional would largely be offset. (Adopted, General Meeting, 5 
November 1990) 

The capping of liability may seen to be some as not necessarily in support of the 
public interest. The Professional Standards Bill enacted in New South Wales never- 
theless illustrates an instantiation of a mechanism for control over a professional soci- 
ety and its members. 
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The ACS in seeking admission to the ACP was required to demonstrate that the 
mechanisms were in place to ensure compliance with the requirements of the NSW 
Professional Standards legislation. 



6 Codes of Ethics 

From a societal perspective it is comforting to recognise that the major professional 
computing societies already have codes governing the behaviour of their members. 
One of the largest professional IT associations, The Council of the Association of 
Computing Machinery (ACM), adopted a set of guidelines for Professional Conduct in 
Information Processing as far back as November 1966. Also in the United States the 
Data Processing Management Association (DPMA) and the Institute of Electrical and 
Electronics Engineers both have a code of ethics. The British Computer Society 
(BCS) agreed codes of practice and conduct in 1983 while the Australian Computer 
Society (ACS) adopted a code of ethics instrument in 1987 which replaced one origi- 
nally endorsed in 1979. 

Many professional IT organisations throughout the world have also introduced 
similar guidelines. While the intent of these guidelines are usually the same, the con- 
tents, wording and titles are often significantly different. In general it would appear 
that this is related to the character and size of the organisation. 

The ACP has defined ethical requirements for their member professions as follows: 

Professionals shall: 

1. at all times place the responsibility for the welfare, health and safety of the 
community before their responsibility to the profession, to sectional or private 
interests, or to other professionals; 

2. act so as to uphold and enhance the honour, integrity and dignity of the profes- 
sion; 

3. perform professional practice in only their areas of competence; 

4. build their professional reputation on merit and shall not compete unfairly; 

5. apply their skills and knowledge in the interest of their employer or client for 
whom they shall act, in professional matters, as faithful agents or trustees; 

6. give evidence, express opinions or make statements in an objective and truthful 
manner and on the basis of adequate knowledge; 

7. continue their professional development throughout their careers and shall ac- 
tively assist and encourage professionals under their direction to advance their 
knowledge and experience. 
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All constituent bodies must have in place disciplinary provision under which 
alleged breaking of code of ethics by any of their members can be investigated and, if 
proven, penalised. [Adopted, General Meeting, 5 November 1990] 

The recent moves by the Texas Board of Professional Engineers in adopting soft- 
ware engineering as a distinct discipline under which engineering licences could be 
issued perhaps foreshadows a move towards regulation [8]. It is also interesting to 
note that a separate Code of Ethics for Software Engineers was developed as a part of 
this project [http://www.acm.org/serving/se/code.htm]. 

The initiative in Texas is significant since the term engineer in the United States 
has legal connotations and its use is restricted to those who meet the criteria to be 
registered as professional engineers. 

We still need to recognise however that no regulations currently exist anywhere in 
the world that require a practising IT professional to be registered, certified, or li- 
censed. A number of specialised certifications exist, for example. Quality, Project 
Management, Security etc however there is typically no legal requirement binding on 
anyone practising IT to become certified. In discussing the new software engineering 
code of ethics Gotterbarn [10] proposes that „Sanctions will occur only when the 
Code is publicly adopted as a generally accepted standard of practice, and when both 
society and legislators view the failure to follow the Code as negligence, malpractice, 
or just poor workmanship". 



7 Security and Privacy 

It is probable that the majority of IT professionals have long recognised the impor- 
tance of including security mechanisms in computer application systems for the pro- 
tection of personal privacy as well as data. It is also probable that the importance of 
these issues has been overlooked by computer manufacturers, the user community and 
society at large. The delivery of computer hardware with security features disabled 
points to a fundamental ignorance of the importance and application of security in 
today’s electronic world. 

The onset of e-business will however highlight the importance of security in the 
related application systems. Both business and personal users of e-business systems 
will expect that these systems will guarantee an acceptable level of security and pri- 
vacy protection. I.T. security professionals will find that their advice is sought and 
their recommendations implemented. All of a sudden they will be in the spotlight of 
public attention and will find themselves being held accountable for their actions. 

Self regulation by industry with respect to e-business will become extremely im- 
portant since any inaction will inevitably result in the intrusion of government. This 
position is ably illustrated by a recent survey of the top 200 most accessed Web sites 
in Australia. The survey author, Australian National University law faculty masters 
candidate Ben Macklin, stated „The . . . survey reveals that in an environment without 
legislation, organisations online have not addressed the privacy and security concerns 
of the consumer." [11] 

Other measures such as the recent launch by IBM, Disney and Time Warner of the 
Online Privacy Alliance, defining a code of practice and developing a privacy symbol 
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to be carried by Web sites further illustrate the strength of business concerns to pri- 
vacy. It is likely that the move by these Internet heavyweights was to forestall any 
potential government intervention. A current proposal in Australia reported by Bushell 
[11] is for the Government to base its legislation on the Privacy Commissioner’s Na- 
tional Principles for the Fair Handling of Personal Information and the draft Data 
Protection Bill of Victoria. It would involve the adoption of industry codes approved 
by the Privacy Commissioner. It would also enforce minimum privacy standards in 
areas where industry codes are not adopted. 

Again Macklin’s [11] conclusion „that in an environment without legislation, or- 
ganisations online have not addressed the privacy and security concerns of the con- 
sumer" suggests that self-regulation in the industry has not been sufficient and that 
government legislation is warranted. 

Most in industry would accept the view that the greatest returns in doing business 
electronically relate to business to business transactions. Ensuring a secure environ- 
ment within which to transfer and process related transaction data is of paramount 
importance. Similarly there is evidence of privacy concerns related to on-line pur- 
chasing being expressed by consumers that is impeding the take-up of e-commerce. 
The establishment of the necessary operating environment to protect both privacy and 
security will be heavily influenced by I.T. security professionals. Attention to ethics 
and adherence to a self-regulatory framework will be essential if the potential of e- 
Business is to be achieved. 



8 Australian Legislation - Privacy and Security 

In Australia there are currently no Commonwealth, State or Territory laws that deal 
with e-Business security nor is there any State or Territory legislation dealing with 
privacy. 

The Australian government enacted the Privacy Act (1988) [12] which applies only 
to government departments and credit agencies and not to the private sector. The Act 
embraces ten Information Privacy Principles concerning the protection of privacy and 
individual liberties espoused by the Organisation for Economic Co-operation and 
Development. 

The failure of the Privacy Act to apply to the Private sector has always been a con- 
tentious issue with the development of a Privacy Charter initiated in August 1992 by 
Justice Michael Kirby, then President of the NSW Court of Appeal; Graham Green- 
leaf, Associate Professor of Law at the University of NSW; and Simon Davies Di- 
rector-General of Privacy International. This Charter was launched on 6 December 
1994 and sets out 18 general privacy and data protection standards appropriate to the 
range of issues associated with the right to privacy in the 1990s. In December 1999, 
the Attorney-General’s Department released an information paper on proposed legis- 
lation for the protection of privacy in the private sector. At the time of writing this 
Privacy Amendment (Private Sector) Bill 2000 has been referred to the House Stand- 
ing Committee on Legal and Constitutional Affairs 
(http://www.aph.gov.au/house/committee/laca/Privacybill/inqinf.htm.). 
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9 Conclusion 

Turpeinen [13] in identifying a range of legal and ethical issues related to cryptogra- 
phy and information security concluded that „strong international co-operation is 
needed to face the global challenges of secure networks and use of cryptography in 
private and business applications". This global challenge still has to be met by the I.T. 
profession. 

Yet, the dynamic nature of I.T. and in particular the rapid escalation of electronic 
trading will result in situations that the current legal system is unable to handle be- 
cause of an absence of appropriate laws. Again, the national legal systems throughout 
the world, let alone a global legal body, are ill-equipped to frame laws and legislation 
in the immediate time-frame necessary. In this vacuum individuals’ privacy and the 
security of business data will rely on the tools, techniques and advice of I.T. security 
professionals. Given this scenario the protection of privacy and security in installed 
computing application systems generally will rely largely on the ethical stance of 
professionals practising in the I.T. industry. 
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